diff --git a/src/SecurityInsights/SecurityInsights.Autorest/Properties/AssemblyInfo.cs b/src/SecurityInsights/SecurityInsights.Autorest/Properties/AssemblyInfo.cs index 0824e48543ba..6019456e7798 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/Properties/AssemblyInfo.cs +++ b/src/SecurityInsights/SecurityInsights.Autorest/Properties/AssemblyInfo.cs @@ -24,3 +24,4 @@ [assembly: System.Reflection.AssemblyVersionAttribute("3.2.1")] [assembly: System.Runtime.InteropServices.ComVisibleAttribute(false)] [assembly: System.CLSCompliantAttribute(false)] + diff --git a/src/SecurityInsights/SecurityInsights.Autorest/README.md b/src/SecurityInsights/SecurityInsights.Autorest/README.md index ec2f030b9f2f..9e28c9d95281 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/README.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/README.md @@ -66,7 +66,7 @@ input-file: - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/ThreatIntelligence.json #- $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Watchlists.json - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/dataConnectors.json - - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/operations.json + # - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/operations.json module-version: 1.2.0 title: SecurityInsights @@ -74,29 +74,20 @@ subject-prefix: Sentinel inlining-threshold: 50 -# For new modules, please avoid setting 3.x using the use-extension method and instead, use 4.x as the default option -use-extension: - "@autorest/powershell": "3.x" - directive: - # Fixes/overrides to swaggers - # Fix to x-ms-enum when integer (https://github.com/Azure/autorest.powershell/issues/856) - - from: dataConnectors.json - where: $.definitions.Availability.properties.status + # Fix Update PUT partial createdBy/updatedBy 400 error + - from: swagger-document + where: $.definitions.UserInfo transform: >- - return { - "description": "The connector Availability Status", - "format": "int32", - "type": "integer", - "enum": [ - 1 - ] - } + delete $.properties.email.readOnly; + $.properties.email['x-ms-mutability'] = ['read','update','create']; + delete $.properties.name.readOnly; + $.properties.name['x-ms-mutability'] = ['read','update','create']; # Customize # Hide Operation API - - where: - subject: Operation - hide: true + # - where: + # subject: Operation + # hide: true # Hide OfficeConsent API - where: subject: OfficeConsent @@ -109,8 +100,12 @@ directive: # Change Sets to Updates to match current module - where: verb: Set + subject: AlertRuleAction set: verb: Update + - where: + verb: Set + remove: true # fix subject name to encrichment - where: subject: DomainWhois @@ -145,44 +140,15 @@ directive: set: verb: Get subject: EntityActivity - # Fix Update ThreatIntelligenceIndicator - - select: command - where: - verb: New - subject: ThreatIntelligenceIndicator - variant: CreateExpanded1 - set: - verb: Update - variant: UpdateExpanded - - select: command - where: - verb: New - subject: ThreatIntelligenceIndicator - variant: CreateViaIdentity1 - set: - verb: Update - variant: UpdateViaIdentity - - select: command - where: - verb: New - subject: ThreatIntelligenceIndicator - variant: CreateViaIdentityExpanded1 - set: - verb: Update - variant: UpdateViaIdentityExpanded - - where: - subject: ThreatIntelligenceIndicatorQuery - variant: QueryViaIdentityExpanded - remove: true # Fix Entity Insights - where: subject: EntityInsight - variant: ^Get$|^GetViaIdentity$ + variant: ^(Get|GetViaIdentity)(?!.*?Expanded) remove: true # Fix Entity TimeLime - where: subject: EntityTimeline - variant: List + variant: ^(List)(?!.*?Expanded) remove: true # Rename Id for user expierence - where: @@ -225,11 +191,6 @@ directive: parameter-name: Id set: alias: IncidentCommentId - #Remove Enrichment - - where: - subject: ^Enrichment$ - variant: ^GetViaIdenity$|^GetViaIdenity1$ - remove: true # Remove source control (requires OAUTH tokens) - where: subject: SourceControl @@ -240,14 +201,24 @@ directive: subject: DataConnectorsCheckRequirement hide: true - where: + verb: New + subject: ^AlertRule$|^DataConnector$|^EntityQuery$ + variant: Create + hide: true + - where: + verb: Update subject: ^AlertRule$|^DataConnector$|^EntityQuery$ - variant: ^Create$|^CreateExpanded$|^Update$|^UpdateExpanded$|^UpdateViaIdentity$|^UpdateViaIdentityExpanded$ + variant: Update hide: true + - where: + subject: ^AlertRule$|^DataConnector$|^EntityQuery$ + variant: ^(Create|Update)(?=.*?(Expanded|JsonFilePath|JsonString))|^CreateViaIdentity$|^CreateViaIdentityWorkspace$|^UpdateViaIdentity$ + remove: true - where: verb: ^Update$|^Remove$ subject: Setting hide: true - # Hide Etag as it isnt used + # Hide Etag as it isn't used - where: parameter-name: Etag hide: true @@ -255,16 +226,16 @@ directive: - where: verb: ^Add$|^New$|^Update$|^Remove$ subject: ThreatIntelligenceIndicator - hide: true + remove: true - where: verb: ^Add$|^New$|^Update$|^Remove$ subject: ThreatIntelligenceIndicatorTag - hide: true + remove: true # CCP - where: verb: ^Connect$|^Disconnect$ subject: DataConnector - hide: true + remove: true # cmdlet review feedback - where: subject: Bookmark @@ -296,11 +267,6 @@ directive: parameter-name: DataConnectorsCheckRequirement set: parameter-name: DataConnectorCheckRequirement - - where: - verb: New - subject: AlertRuleAction - variant: Create - hide: true - where: verb: New subject: ^AlertRuleAction$|^AutomationRule$|^Bookmark$|^Incident$|^IncidentComment$| @@ -319,30 +285,28 @@ directive: - where: verb: Expand subject: ^Bookmark$|^Entity$ - hide: true + remove: true - where: verb: ^New$|^Update$|^Remove$ subject: Metadata - hide: true + remove: true # Hide Source Control - where: verb: Get subject: SourceControlRepository hide: true - # Hide UpdateViaId and Update - - where: - variant: ^Update$|^UpdateViaIdentity$ - hide: true # Remove the unexpanded parameter set - where: - variant: ^Append$|^AppendViaIdentity$|^Connect$|^ConnectViaIdentity$|^CreateViaIdentity$|^CreateViaIdentityExpanded$|^Expand$|^ExpandViaIdentity$|^ExpandViaIdentityExpanded$|^GetViaIdentityExpanded$|^PostViaIdentity$|^Query$|^QueryViaIdentity$|^QueriesViaIdentity$|^Replace$|^ReplaceViaIdentity$ + subject: AlertRuleAction|AutomationRule|Bookmark|Incident|SentinelOnboardingState + variant: ^(Create|Update)(?!.*?(Expanded|JsonFilePath|JsonString))|^CreateViaIdentityExpanded$ remove: true - # fix Equals that conflicts with inhertied property - where: - enum-name: AutomationRulePropertyConditionSupportedOperator - enum-value-name: Equals - set: - enum-value-name: Equal + variant: ^(Append|Connect|Expand|Query|Replace)(?!.*?(Expanded|JsonFilePath|JsonString)) + remove: true + # Remove module-cross object (unknown) + - where: + variant: ^(Create|Update|Query|Queries|Replace|Get|Delete)(?=.*?Workspace) + remove: true - where: verb: Get subject: AutomationRule|Bookmark|DataConnector|Enrichment|EntityActivity|EntityInsight|EntityTimeline|Incident$|IncidentAlert|IncidentBookmark|IncidentEntity|Metadata|ThreatIntelligenceIndicatorMetric diff --git a/src/SecurityInsights/SecurityInsights.Autorest/custom/New-AzSentinelAlertRule.ps1 b/src/SecurityInsights/SecurityInsights.Autorest/custom/New-AzSentinelAlertRule.ps1 index b6b024229fff..f01ff35b4649 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/custom/New-AzSentinelAlertRule.ps1 +++ b/src/SecurityInsights/SecurityInsights.Autorest/custom/New-AzSentinelAlertRule.ps1 @@ -23,7 +23,7 @@ Creates the alert rule. https://learn.microsoft.com/powershell/module/az.securityinsights/new-azsentinelalertrule #> function New-AzSentinelAlertRule { - [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AlertRule])] + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.AlertRule])] [CmdletBinding(DefaultParameterSetName = 'FusionMLTI', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] param( [Parameter()] @@ -55,9 +55,9 @@ function New-AzSentinelAlertRule { ${RuleId}, [Parameter(Mandatory)] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertRuleKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion", "MLBehaviorAnalytics", "ThreatIntelligence", "NRT")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertRuleKind] + [System.String] # Kind of the the data connection ${Kind}, @@ -100,14 +100,14 @@ function New-AzSentinelAlertRule { [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation', Mandatory)] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT", "Office 365 Advanced Threat Protection", "Microsoft Defender Advanced Threat Protection")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName] + [System.String] ${ProductFilter}, [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity[]] + [System.String[]] #High, Medium, Low, Informational ${SeveritiesFilter}, @@ -138,15 +138,15 @@ function New-AzSentinelAlertRule { [Parameter(ParameterSetName = 'NRT', Mandatory)] [Parameter(ParameterSetName = 'Scheduled', Mandatory)] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("High", "Medium", "Low", "Informational")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity] + [System.String] ${Severity}, [Parameter(ParameterSetName = 'NRT')] [Parameter(ParameterSetName = 'Scheduled')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - #[Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("InitialAccess", "Execution", "Persistence", "PrivilegeEscalation", "DefenseEvasion", "CredentialAccess", "Discovery", "LateralMovement", "Collection", "Exfiltration", "CommandAndControl", "Impact", "PreAttack")] [System.String[]] #InitialAccess, Execution, Persistence, PrivilegeEscalation, DefenseEvasion, CredentialAccess, Discovery, LateralMovement, Collection, Exfiltration, CommandAndControl, Impact, PreAttack ${Tactic}, @@ -187,22 +187,22 @@ function New-AzSentinelAlertRule { [Parameter(ParameterSetName = 'NRT')] [Parameter(ParameterSetName = 'Scheduled')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("DisplayName", "Severity")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail[]] + [System.String[]] ${GroupByAlertDetail}, [Parameter(ParameterSetName = 'NRT')] [Parameter(ParameterSetName = 'Scheduled')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [string[]] + [System.String[]] ${GroupByCustomDetail}, [Parameter(ParameterSetName = 'NRT')] [Parameter(ParameterSetName = 'Scheduled')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Account", "Host", "IP", "Malware", "File", "Process", "CloudApplication", "DNS", "AzureResource", "FileHash", "RegistryKey", "RegistryValue", "SecurityGroup", "URL", "Mailbox", "MailCluster", "MailMessage", "SubmissionMail")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[]] + [System.String[]] ${GroupByEntity}, @@ -210,7 +210,7 @@ function New-AzSentinelAlertRule { [Parameter(ParameterSetName = 'Scheduled')] #'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping[]] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.EntityMapping[]] ${EntityMapping}, [Parameter(ParameterSetName = 'NRT')] @@ -249,9 +249,9 @@ function New-AzSentinelAlertRule { ${QueryPeriod}, [Parameter(ParameterSetName = 'Scheduled', Mandatory)] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("GreaterThan", "LessThan", "Equal", "NotEqual")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator] + [System.String] ${TriggerOperator}, [Parameter(ParameterSetName = 'Scheduled', Mandatory)] @@ -260,9 +260,9 @@ function New-AzSentinelAlertRule { ${TriggerThreshold}, [Parameter(ParameterSetName = 'Scheduled')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("SingleAlert", "AlertPerResult")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind] + [System.String] ${EventGroupingSettingAggregationKind}, [Parameter()] @@ -329,7 +329,7 @@ function New-AzSentinelAlertRule { try { #Fusion if ($PSBoundParameters['Kind'] -eq 'Fusion'){ - $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.FusionAlertRule]::new() + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.FusionAlertRule]::new() $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplate'] $null = $PSBoundParameters.Remove('AlertRuleTemplate') @@ -344,7 +344,7 @@ function New-AzSentinelAlertRule { } #MSIC if($PSBoundParameters['Kind'] -eq 'MicrosoftSecurityIncidentCreation'){ - $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MicrosoftSecurityIncidentCreationAlertRule]::new() + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.MicrosoftSecurityIncidentCreationAlertRule]::new() If($PSBoundParameters['AlertRuleTemplateName']){ $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName'] @@ -384,7 +384,7 @@ function New-AzSentinelAlertRule { } #ML if ($PSBoundParameters['Kind'] -eq 'MLBehaviorAnalytics'){ - $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MlBehaviorAnalyticsAlertRule]::new() + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.MlBehaviorAnalyticsAlertRule]::new() $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplate'] $null = $PSBoundParameters.Remove('AlertRuleTemplate') @@ -400,7 +400,7 @@ function New-AzSentinelAlertRule { #NRT if($PSBoundParameters['Kind'] -eq 'NRT'){ - $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.NrtAlertRule]::new() + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.NrtAlertRule]::new() If($PSBoundParameters['AlertRuleTemplateName']){ $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName'] @@ -518,7 +518,7 @@ function New-AzSentinelAlertRule { } #Scheduled if ($PSBoundParameters['Kind'] -eq 'Scheduled'){ - $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ScheduledAlertRule]::new() + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ScheduledAlertRule]::new() If($PSBoundParameters['AlertRuleTemplateName']){ $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName'] @@ -652,7 +652,7 @@ function New-AzSentinelAlertRule { } #TI if ($PSBoundParameters['Kind'] -eq 'ThreatIntelligence'){ - $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ThreatIntelligenceAlertRule]::new() + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ThreatIntelligenceAlertRule]::new() $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplate'] $null = $PSBoundParameters.Remove('AlertRuleTemplate') @@ -667,8 +667,9 @@ function New-AzSentinelAlertRule { } $null = $PSBoundParameters.Remove('FusionMLTI') - - $AlertRule.Kind = $PSBoundParameters['Kind'] + + #Autorest powershell V4 does not need the Kind property. The object has the Kind value for each. + # $AlertRule.Kind = $PSBoundParameters['Kind'] $null = $PSBoundParameters.Remove('Kind') $null = $PSBoundParameters.Add('AlertRule', $AlertRule) diff --git a/src/SecurityInsights/SecurityInsights.Autorest/custom/New-AzSentinelDataConnector.ps1 b/src/SecurityInsights/SecurityInsights.Autorest/custom/New-AzSentinelDataConnector.ps1 index 6b5fec092bc3..d275a2d1c5ff 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/custom/New-AzSentinelDataConnector.ps1 +++ b/src/SecurityInsights/SecurityInsights.Autorest/custom/New-AzSentinelDataConnector.ps1 @@ -23,7 +23,7 @@ Creates or updates the data connector. https://learn.microsoft.com/powershell/module/az.securityinsights/new-azsentineldataconnector #> function New-AzSentinelDataConnector { - [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnector])] + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.DataConnector])] [CmdletBinding(DefaultParameterSetName = 'AADAATP', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] param( [Parameter()] @@ -53,9 +53,9 @@ function New-AzSentinelDataConnector { ${Id}, [Parameter(Mandatory)] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", "ThreatIntelligence", "ThreatIntelligenceTaxii", "Office365", "OfficeATP", "OfficeIRM", "AmazonWebServicesCloudTrail", "AmazonWebServicesS3", "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection", "Dynamics365", "MicrosoftThreatProtection", "MicrosoftThreatIntelligence", "GenericUI", "APIPolling")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind] + [System.String] # Kind of the the data connection ${Kind}, @@ -88,25 +88,25 @@ function New-AzSentinelDataConnector { [Parameter(ParameterSetName = 'MicrosoftDefenderAdvancedThreatProtection')] [Parameter(ParameterSetName = 'OfficeATP')] [Parameter(ParameterSetName = 'OfficeIRM')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${Alerts}, [Parameter(ParameterSetName = 'Dynamics365')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${CommonDataServiceActivity}, [Parameter(ParameterSetName = 'MicrosoftCloudAppSecurity')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${DiscoveryLog}, [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${BingSafetyPhishingURL}, @@ -118,7 +118,7 @@ function New-AzSentinelDataConnector { ${BingSafetyPhishingUrlLookbackPeriod}, [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${MicrosoftEmergingThreatFeed}, @@ -130,31 +130,31 @@ function New-AzSentinelDataConnector { ${MicrosoftEmergingThreatFeedLookbackPeriod}, [Parameter(ParameterSetName = 'MicrosoftThreatProtection')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${Incident}, [Parameter(ParameterSetName = 'Office365')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${Exchange}, [Parameter(ParameterSetName = 'Office365')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${SharePoint}, [Parameter(ParameterSetName = 'Office365')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${Teams}, [Parameter(ParameterSetName = 'ThreatIntelligence')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${Indicator}, @@ -196,9 +196,9 @@ function New-AzSentinelDataConnector { ${TaxiiLookbackPeriod}, [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii', Mandatory)] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("OnceAMinute", "OnceAnHour", "OnceADay")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency] + [System.String] ${PollingFrequency}, [Parameter(ParameterSetName = 'AmazonWebServicesCloudTrail', Mandatory)] @@ -209,14 +209,14 @@ function New-AzSentinelDataConnector { [Parameter(ParameterSetName = 'AmazonWebServicesCloudTrail')] [Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${Log}, [Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [String[]] + [System.String[]] ${SQSURL}, [Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)] @@ -257,25 +257,25 @@ function New-AzSentinelDataConnector { [Parameter(ParameterSetName = 'GenericUI', Mandatory)] #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.GraphQueries[]] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.GraphQueries[]] ${UiConfigGraphQuery}, [Parameter(ParameterSetName = 'GenericUI', Mandatory)] #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.SampleQueries[]] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.SampleQueries[]] ${UiConfigSampleQuery}, [Parameter(ParameterSetName = 'GenericUI', Mandatory)] #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.LastDataReceivedDataType[]] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.LastDataReceivedDataType[]] ${UiConfigDataType}, [Parameter(ParameterSetName = 'GenericUI', Mandatory)] #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ConnectivityCriteria[]] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ConnectivityCriteria[]] ${UiConfigConnectivityCriterion}, [Parameter(ParameterSetName = 'GenericUI', Mandatory)] @@ -294,19 +294,19 @@ function New-AzSentinelDataConnector { [Parameter(ParameterSetName = 'GenericUI')] #[Parameter(ParameterSetName = 'APIPolling')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsResourceProviderItem[]] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.PermissionsResourceProviderItem[]] ${PermissionResourceProvider}, [Parameter(ParameterSetName = 'GenericUI')] #[Parameter(ParameterSetName = 'APIPolling')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsCustomsItem[]] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.PermissionsCustomsItem[]] ${PermissionCustom}, [Parameter(ParameterSetName = 'GenericUI', Mandatory)] #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.InstructionSteps[]] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.InstructionSteps[]] ${UiConfigInstructionStep}, [Parameter()] @@ -372,7 +372,7 @@ function New-AzSentinelDataConnector { process { try { if ($PSBoundParameters['Kind'] -eq 'AzureActiveDirectory'){ - $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AadDataConnector]::new() + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.AadDataConnector]::new() $DataConnector.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') @@ -383,7 +383,7 @@ function New-AzSentinelDataConnector { } } if($PSBoundParameters['Kind'] -eq 'AzureAdvancedThreatProtection'){ - $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AatpDataConnector]::new() + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.AatpDataConnector]::new() $DataConnector.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') @@ -394,7 +394,7 @@ function New-AzSentinelDataConnector { } } if($PSBoundParameters['Kind'] -eq 'Dynamics365'){ - $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Dynamics365DataConnector]::new() + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Dynamics365DataConnector]::new() $DataConnector.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') @@ -405,7 +405,7 @@ function New-AzSentinelDataConnector { } } if($PSBoundParameters['Kind'] -eq 'MicrosoftCloudAppSecurity'){ - $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.McasDataConnector]::new() + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.McasDataConnector]::new() $DataConnector.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') @@ -421,7 +421,7 @@ function New-AzSentinelDataConnector { } } if($PSBoundParameters['Kind'] -eq 'MicrosoftDefenderAdvancedThreatProtection'){ - $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MdatpDataConnector]::new() + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.MdatpDataConnector]::new() $DataConnector.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') @@ -432,7 +432,7 @@ function New-AzSentinelDataConnector { } } if($PSBoundParameters['Kind'] -eq 'MicrosoftThreatIntelligence'){ - $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MstiDataConnector]::new() + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.MstiDataConnector]::new() $DataConnector.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') @@ -487,7 +487,7 @@ function New-AzSentinelDataConnector { } if($PSBoundParameters['Kind'] -eq 'MicrosoftThreatProtection'){ - $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MtpDataConnector]::new() + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.MtpDataConnector]::new() $DataConnector.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') @@ -498,7 +498,7 @@ function New-AzSentinelDataConnector { } } if($PSBoundParameters['Kind'] -eq 'Office365'){ - $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeDataConnector]::new() + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.OfficeDataConnector]::new() $DataConnector.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') @@ -519,7 +519,7 @@ function New-AzSentinelDataConnector { } } if($PSBoundParameters['Kind'] -eq 'OfficeATP'){ - $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeAtpDataConnector]::new() + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.OfficeAtpDataConnector]::new() $DataConnector.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') @@ -530,7 +530,7 @@ function New-AzSentinelDataConnector { } } if($PSBoundParameters['Kind'] -eq 'OfficeIRM'){ - $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeIrmDataConnector]::new() + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.OfficeIrmDataConnector]::new() $DataConnector.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') @@ -541,7 +541,7 @@ function New-AzSentinelDataConnector { } } if($PSBoundParameters['Kind'] -eq 'ThreatIntelligence'){ - $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.TiDataConnector]::new() + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.TiDataConnector]::new() $DataConnector.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') @@ -554,7 +554,7 @@ function New-AzSentinelDataConnector { } } if($PSBoundParameters['Kind'] -eq 'ThreatIntelligenceTaxii'){ - $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.TiTaxiiDataConnector]::new() + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.TiTaxiiDataConnector]::new() $DataConnector.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') @@ -596,7 +596,7 @@ function New-AzSentinelDataConnector { } if($PSBoundParameters['Kind'] -eq 'AzureSecurityCenter'){ - $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AscDataConnector]::new() + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.AscDataConnector]::new() $DataConnector.SubscriptionId = $PSBoundParameters['ASCSubscriptionId'] $null = $PSBoundParameters.Remove('ASCSubscriptionId') @@ -607,7 +607,7 @@ function New-AzSentinelDataConnector { } } if($PSBoundParameters['Kind'] -eq 'AmazonWebServicesCloudTrail'){ - $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AwsCloudTrailDataConnector]::new() + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.AwsCloudTrailDataConnector]::new() $DataConnector.AWSRoleArn = $PSBoundParameters['AWSRoleArn'] $null = $PSBoundParameters.Remove('AWSRoleArn') @@ -618,7 +618,7 @@ function New-AzSentinelDataConnector { } } if($PSBoundParameters['Kind'] -eq 'AmazonWebServicesS3'){ - $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AwsCloudTrailDataConnector]::new() + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.AwsCloudTrailDataConnector]::new() $DataConnector.RoleArn = $PSBoundParameters['AWSRoleArn'] $null = $PSBoundParameters.Remove('AWSRoleArn') @@ -635,7 +635,7 @@ function New-AzSentinelDataConnector { $null = $PSBoundParameters.Remove('DetinationTable') } if($PSBoundParameters['Kind'] -eq 'GenericUI'){ - $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CodelessUiDataConnector]::new() + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.CodelessUiDataConnector]::new() $DataConnector.ConnectorUiConfigTitle = $PSBoundParameters['UiConfigTitle'] $null = $PSBoundParameters.Remove('UiConfigTitle') @@ -675,11 +675,11 @@ function New-AzSentinelDataConnector { } If($PSBoundParameters['PermissionResourceProvider']){ - $DataConnector.AvailabilityStatus = $PSBoundParameters['PermissionResourceProvider'] + $DataConnector.PermissionResourceProvider = $PSBoundParameters['PermissionResourceProvider'] $null = $PSBoundParameters.Remove('PermissionResourceProvider') } ElseIf($PSBoundParameters['PermissionCustom']){ - $DataConnector.AvailabilityStatus = $PSBoundParameters['PermissionCustom'] + $DataConnector.PermissionCustom = $PSBoundParameters['PermissionCustom'] $null = $PSBoundParameters.Remove('PermissionCustom') } Else { @@ -691,8 +691,9 @@ function New-AzSentinelDataConnector { $null = $PSBoundParameters.Remove('UiConfigInstructionStep') } - - $DataConnector.Kind = $PSBoundParameters['Kind'] + + #Autorest powershell V4 does not need the Kind property. The object has the Kind value for each. + # $DataConnector.Kind = $PSBoundParameters['Kind'] $null = $PSBoundParameters.Remove('Kind') $null = $PSBoundParameters.Remove('DataConnector') diff --git a/src/SecurityInsights/SecurityInsights.Autorest/custom/New-AzSentinelEntityQuery.ps1 b/src/SecurityInsights/SecurityInsights.Autorest/custom/New-AzSentinelEntityQuery.ps1 index 7b4c4359d5cc..7c7f5bd36db8 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/custom/New-AzSentinelEntityQuery.ps1 +++ b/src/SecurityInsights/SecurityInsights.Autorest/custom/New-AzSentinelEntityQuery.ps1 @@ -23,7 +23,7 @@ Creates or updates the entity query. https://learn.microsoft.com/powershell/module/az.securityinsights/new-azsentinelentityquery #> function New-AzSentinelEntityQuery { - [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CustomEntityQuery])] + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.CustomEntityQuery])] [CmdletBinding(DefaultParameterSetName = 'Activity', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] param( [Parameter()] @@ -46,7 +46,9 @@ function New-AzSentinelEntityQuery { [System.String] # The name of the workspace. ${WorkspaceName}, - + + [Parameter()] + [Alias('EntityQueryId')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(New-Guid).Guid')] [System.String] @@ -54,9 +56,9 @@ function New-AzSentinelEntityQuery { ${Id}, [Parameter(Mandatory)] - [ArgumentCompleter( { param ( $CommandName, $EntityQueryName, $WordToComplete, $CommandAst, $FakeBoundParameters ) return @('Activity') })] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Activity","Expansion")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityQueryKind] + [System.String] # Kind of the the Entity Query ${Kind}, @@ -81,9 +83,9 @@ function New-AzSentinelEntityQuery { ${QueryDefinitionQuery}, [Parameter(ParameterSetName = 'Activity', Mandatory)] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Account", "Host", "File", "AzureResource", "CloudApplication", "DNS", "FileHash", "IP", "Malware", "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "URL", "IoTDevice", "SecurityAlert", "HuntingBookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType] + [System.String] ${InputEntityType}, [Parameter(ParameterSetName = 'Activity')] @@ -93,7 +95,7 @@ function New-AzSentinelEntityQuery { [Parameter(ParameterSetName = 'Activity')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityEntityQueriesPropertiesEntitiesFilter] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ActivityEntityQueriesPropertiesEntitiesFilter] ${EntitiesFilter}, [Parameter(ParameterSetName = 'Activity')] @@ -165,7 +167,7 @@ function New-AzSentinelEntityQuery { try { if ($PSBoundParameters['Kind'] -eq 'Activity'){ - $EntityQuery = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityCustomEntityQuery]::new() + $EntityQuery = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ActivityCustomEntityQuery]::new() $EntityQuery.Title = $PSBoundParameters['Title'] $null = $PSBoundParameters.Remove('Title') diff --git a/src/SecurityInsights/SecurityInsights.Autorest/custom/Test-AzSentinelDataConnectorCheckRequirement.ps1 b/src/SecurityInsights/SecurityInsights.Autorest/custom/Test-AzSentinelDataConnectorCheckRequirement.ps1 index 8c416263b84c..c95f66edee1f 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/custom/Test-AzSentinelDataConnectorCheckRequirement.ps1 +++ b/src/SecurityInsights/SecurityInsights.Autorest/custom/Test-AzSentinelDataConnectorCheckRequirement.ps1 @@ -23,7 +23,7 @@ Get requirements state for a data connector type. https://learn.microsoft.com/powershell/module/az.securityinsights/test-azsentineldataconnectorcheckrequirement #> function Test-AzSentinelDataConnectorCheckRequirement { - [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnectorsCheckRequirements])] + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.DataConnectorsCheckRequirements])] [CmdletBinding(DefaultParameterSetName = 'AADTenant', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] param( [Parameter()] @@ -48,9 +48,9 @@ function Test-AzSentinelDataConnectorCheckRequirement { ${WorkspaceName}, [Parameter(Mandatory)] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", "ThreatIntelligence", "ThreatIntelligenceTaxii", "Office365", "OfficeATP", "OfficeIRM", "AmazonWebServicesCloudTrail", "AmazonWebServicesS3", "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection", "Dynamics365", "MicrosoftThreatProtection", "MicrosoftThreatIntelligence", "GenericUI", "APIPolling")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind] + [System.String] # Kind of the the data connection ${Kind}, @@ -136,68 +136,68 @@ function Test-AzSentinelDataConnectorCheckRequirement { try { if ($PSBoundParameters['Kind'] -eq 'AzureActiveDirectory'){ - $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AadCheckRequirements]::new() + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.AadCheckRequirements]::new() $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') } if($PSBoundParameters['Kind'] -eq 'AzureAdvancedThreatProtection'){ - $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AatpCheckRequirements]::new() + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.AatpCheckRequirements]::new() $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') } if($PSBoundParameters['Kind'] -eq 'Dynamics365'){ - $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Dynamics365CheckRequirements]::new() + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Dynamics365CheckRequirements]::new() $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') } if($PSBoundParameters['Kind'] -eq 'MicrosoftCloudAppSecurity'){ - $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MCASCheckRequirements]::new() + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.MCASCheckRequirements]::new() $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') } if($PSBoundParameters['Kind'] -eq 'MicrosoftDefenderAdvancedThreatProtection'){ - $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MDATPCheckRequirements]::new() + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.MDATPCheckRequirements]::new() $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') } if($PSBoundParameters['Kind'] -eq 'MicrosoftThreatIntelligence'){ - $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MSTICheckRequirements]::new() + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.MSTICheckRequirements]::new() $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') } if($PSBoundParameters['Kind'] -eq 'MicrosoftThreatProtection'){ - $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MtpCheckRequirements]::new() + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.MtpCheckRequirements]::new() $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') } #if($PSBoundParameters['Kind'] -eq 'Office365'){ - # $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Office365CheckRequirements]::new() + # $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Office365CheckRequirements]::new() # $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] # $null = $PSBoundParameters.Remove('TenantId') #} if($PSBoundParameters['Kind'] -eq 'OfficeATP'){ - $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeATPCheckRequirements]::new() + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.OfficeATPCheckRequirements]::new() $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') } if($PSBoundParameters['Kind'] -eq 'OfficeIRM'){ - $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeIrmCheckRequirements]::new() + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.OfficeIrmCheckRequirements]::new() $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') } if($PSBoundParameters['Kind'] -eq 'ThreatIntelligence'){ - $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.TICheckRequirements]::new() + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.TICheckRequirements]::new() $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') } if($PSBoundParameters['Kind'] -eq 'ThreatIntelligenceTaxii'){ - $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.TiTaxiiCheckRequirements]::new() + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.TiTaxiiCheckRequirements]::new() $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') } if($PSBoundParameters['Kind'] -eq 'AzureSecurityCenter'){ - $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ASCCheckRequirements]::new() + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ASCCheckRequirements]::new() $DataConnectorCheckRequirement.SubscriptionId = $PSBoundParameters['ASCSubscriptionId'] $null = $PSBoundParameters.Remove('ASCSubscriptionId') } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/custom/Update-AzSentinelAlertRule.ps1 b/src/SecurityInsights/SecurityInsights.Autorest/custom/Update-AzSentinelAlertRule.ps1 index 5b685ccfb790..e490855a0193 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/custom/Update-AzSentinelAlertRule.ps1 +++ b/src/SecurityInsights/SecurityInsights.Autorest/custom/Update-AzSentinelAlertRule.ps1 @@ -23,7 +23,7 @@ Updates the alert rule. https://learn.microsoft.com/powershell/module/az.securityinsights/Update-azsentinelalertrule #> function Update-AzSentinelAlertRule { - [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AlertRule])] + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.AlertRule])] [CmdletBinding(DefaultParameterSetName = 'UpdateScheduled', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] param( [Parameter(ParameterSetName = 'UpdateFusionMLTI')] @@ -160,15 +160,15 @@ function Update-AzSentinelAlertRule { [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT", "Office 365 Advanced Threat Protection", "Microsoft Defender Advanced Threat Protection")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName] + [System.String] ${ProductFilter}, [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity[]] + [System.String[]] #High, Medium, Low, Informational ${SeveritiesFilter}, @@ -209,18 +209,17 @@ function Update-AzSentinelAlertRule { [Parameter(ParameterSetName = 'UpdateScheduled')] [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("High", "Medium", "Low", "Informational")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity] + [System.String] ${Severity}, [Parameter(ParameterSetName = 'UpdateNRT')] [Parameter(ParameterSetName = 'UpdateScheduled')] [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("InitialAccess", "Execution", "Persistence", "PrivilegeEscalation", "DefenseEvasion", "CredentialAccess", "Discovery", "LateralMovement", "Collection", "Exfiltration", "CommandAndControl", "Impact", "PreAttack")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic] [System.String[]] ${Tactic}, @@ -273,9 +272,9 @@ function Update-AzSentinelAlertRule { [Parameter(ParameterSetName = 'UpdateScheduled')] [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("DisplayName", "Severity")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail[]] + [System.String[]] ${GroupByAlertDetail}, [Parameter(ParameterSetName = 'UpdateNRT')] @@ -283,16 +282,16 @@ function Update-AzSentinelAlertRule { [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [string[]] + [System.String[]] ${GroupByCustomDetail}, [Parameter(ParameterSetName = 'UpdateNRT')] [Parameter(ParameterSetName = 'UpdateScheduled')] [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Account", "Host", "IP", "Malware", "File", "Process", "CloudApplication", "DNS", "AzureResource", "FileHash", "RegistryKey", "RegistryValue", "SecurityGroup", "URL", "Mailbox", "MailCluster", "MailMessage", "SubmissionMail")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[]] + [System.String[]] ${GroupByEntity}, @@ -302,7 +301,7 @@ function Update-AzSentinelAlertRule { [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] #'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping[]] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.EntityMapping[]] ${EntityMapping}, [Parameter(ParameterSetName = 'UpdateNRT')] @@ -352,9 +351,9 @@ function Update-AzSentinelAlertRule { [Parameter(ParameterSetName = 'UpdateScheduled')] [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("GreaterThan", "LessThan", "Equal", "NotEqual")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator] + [string] ${TriggerOperator}, [Parameter(ParameterSetName = 'UpdateScheduled')] @@ -365,9 +364,9 @@ function Update-AzSentinelAlertRule { [Parameter(ParameterSetName = 'UpdateScheduled')] [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("SingleAlert", "AlertPerResult")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind] + [string] ${EventGroupingSettingAggregationKind}, [Parameter()] diff --git a/src/SecurityInsights/SecurityInsights.Autorest/custom/Update-AzSentinelDataConnector.ps1 b/src/SecurityInsights/SecurityInsights.Autorest/custom/Update-AzSentinelDataConnector.ps1 index ac1241ccf167..4f2f178096a8 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/custom/Update-AzSentinelDataConnector.ps1 +++ b/src/SecurityInsights/SecurityInsights.Autorest/custom/Update-AzSentinelDataConnector.ps1 @@ -23,7 +23,7 @@ Updates the data connector. https://learn.microsoft.com/powershell/module/az.securityinsights/update-azsentineldataconnector #> function Update-AzSentinelDataConnector { - [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnector])] + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.DataConnector])] [CmdletBinding(DefaultParameterSetName = 'UpdateAADAATP', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] param( [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail')] @@ -270,28 +270,28 @@ function Update-AzSentinelDataConnector { [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection')] [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeATP')] [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeIRM')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${Alerts}, [Parameter(ParameterSetName = 'UpdateDynamics365')] [Parameter(ParameterSetName = 'UpdateViaIdentityDynamics365')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${CommonDataServiceActivity}, [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity')] [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftCloudAppSecurity')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${DiscoveryLog}, [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')] [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${BingSafetyPhishinURL}, @@ -305,7 +305,7 @@ function Update-AzSentinelDataConnector { [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')] [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${MicrosoftEmergingThreatFeed}, @@ -319,35 +319,35 @@ function Update-AzSentinelDataConnector { [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection')] [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatProtection')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${Incident}, [Parameter(ParameterSetName = 'UpdateOffice365')] [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${Exchange}, [Parameter(ParameterSetName = 'UpdateOffice365')] [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${SharePoint}, [Parameter(ParameterSetName = 'UpdateOffice365')] [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${Teams}, [Parameter(ParameterSetName = 'UpdateThreatIntelligence')] [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligence')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${Indicator}, @@ -396,9 +396,9 @@ function Update-AzSentinelDataConnector { [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("OnceAMinute", "OnceAnHour", "OnceADay")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency] + [System.String] ${PollingFrequency}, [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail')] @@ -413,7 +413,7 @@ function Update-AzSentinelDataConnector { [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3')] [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesCloudTrail')] [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Enabled", "Disabled")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] ${Log}, @@ -463,25 +463,25 @@ function Update-AzSentinelDataConnector { [Parameter(ParameterSetName = 'UpdateGenericUI')] [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.GraphQueries[]] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.GraphQueries[]] ${UiConfigGraphQuery}, [Parameter(ParameterSetName = 'UpdateGenericUI')] [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.SampleQueries[]] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.SampleQueries[]] ${UiConfigSampleQuery}, [Parameter(ParameterSetName = 'UpdateGenericUI')] [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.LastDataReceivedDataType[]] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.LastDataReceivedDataType[]] ${UiConfigDataType}, [Parameter(ParameterSetName = 'UpdateGenericUI')] [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ConnectivityCriteria[]] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ConnectivityCriteria[]] ${UiConfigConnectivityCriterion}, [Parameter(ParameterSetName = 'UpdateGenericUI')] @@ -500,19 +500,19 @@ function Update-AzSentinelDataConnector { [Parameter(ParameterSetName = 'UpdateGenericUI')] [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsResourceProviderItem[]] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.PermissionsResourceProviderItem[]] ${PermissionResourceProvider}, [Parameter(ParameterSetName = 'UpdateGenericUI')] [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsCustomsItem[]] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.PermissionsCustomsItem[]] ${PermissionCustom}, [Parameter(ParameterSetName = 'UpdateGenericUI')] [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.InstructionSteps[]] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.InstructionSteps[]] ${UiConfigInstructionStep}, [Parameter()] diff --git a/src/SecurityInsights/SecurityInsights.Autorest/custom/Update-AzSentinelEntityQuery.ps1 b/src/SecurityInsights/SecurityInsights.Autorest/custom/Update-AzSentinelEntityQuery.ps1 index 6c6de877501b..6e6e34056b73 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/custom/Update-AzSentinelEntityQuery.ps1 +++ b/src/SecurityInsights/SecurityInsights.Autorest/custom/Update-AzSentinelEntityQuery.ps1 @@ -23,7 +23,7 @@ Updates the entity query. https://learn.microsoft.com/powershell/module/az.securityinsights/update-azsentinelentityquery #> function Update-AzSentinelEntityQuery { - [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CustomEntityQuery])] + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.CustomEntityQuery])] [CmdletBinding(DefaultParameterSetName = 'UpdateActivity', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] param( [Parameter(ParameterSetName = 'UpdateActivity')] @@ -48,10 +48,11 @@ function Update-AzSentinelEntityQuery { ${WorkspaceName}, [Parameter(ParameterSetName = 'UpdateActivity', Mandatory)] + [Alias('EntityQueryId')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] [System.String] # The Id of the Entity Query. - ${EntityQueryId}, + ${Id}, [Parameter(ParameterSetName = 'UpdateViaIdentityActivity', Mandatory, ValueFromPipeline)] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] @@ -86,9 +87,9 @@ function Update-AzSentinelEntityQuery { [Parameter(ParameterSetName = 'UpdateActivity')] [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Account", "Host", "File", "AzureResource", "CloudApplication", "DNS", "FileHash", "IP", "Malware", "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "URL", "IoTDevice", "SecurityAlert", "HuntingBookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType] + [System.String] ${InputEntityType}, [Parameter(ParameterSetName = 'UpdateActivity')] @@ -100,7 +101,7 @@ function Update-AzSentinelEntityQuery { [Parameter(ParameterSetName = 'UpdateActivity')] [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityEntityQueriesPropertiesEntitiesFilter] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ActivityEntityQueriesPropertiesEntitiesFilter] ${EntitiesFilter}, [Parameter(ParameterSetName = 'UpdateActivity')] diff --git a/src/SecurityInsights/SecurityInsights.Autorest/custom/Update-AzSentinelSetting.ps1 b/src/SecurityInsights/SecurityInsights.Autorest/custom/Update-AzSentinelSetting.ps1 index 932e88e09df6..f2603c766d01 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/custom/Update-AzSentinelSetting.ps1 +++ b/src/SecurityInsights/SecurityInsights.Autorest/custom/Update-AzSentinelSetting.ps1 @@ -23,7 +23,7 @@ Updates setting. https://learn.microsoft.com/powershell/module/az.securityinsights/update-azsentinelsetting #> function Update-AzSentinelSetting { - [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Settings])] + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Settings])] [CmdletBinding(DefaultParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] param( [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics')] @@ -52,7 +52,7 @@ function Update-AzSentinelSetting { [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)] [Parameter(ParameterSetName = 'UpdateExpandedUeba', Mandatory)] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.SettingKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("Anomalies", "EyesOn", "EntityAnalytics", "Ueba")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] # The setting Name @@ -78,9 +78,9 @@ function Update-AzSentinelSetting { #.Ueba [Parameter(ParameterSetName = 'UpdateExpandedUeba', Mandatory)] [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedUeba', Mandatory)] - [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.UebaDataSources])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.PSArgumentCompleterAttribute("AuditLogs", "AzureActivity", "SecurityEvent", "SigninLogs")] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.UebaDataSources[]] + [System.String[]] ${DataSource}, [Parameter()] diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Az.SecurityInsights.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Az.SecurityInsights.md index 63fcc39bfbb1..a36ce2444117 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Az.SecurityInsights.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Az.SecurityInsights.md @@ -96,16 +96,16 @@ Query threat intelligence indicators as per filtering criteria. Creates the alert rule. ### [New-AzSentinelAlertRuleAction](New-AzSentinelAlertRuleAction.md) -Creates or updates the action of alert rule. +Create the action of alert rule. ### [New-AzSentinelAutomationRule](New-AzSentinelAutomationRule.md) -Creates or updates the automation rule. +Create the automation rule. ### [New-AzSentinelBookmark](New-AzSentinelBookmark.md) -Creates or updates the bookmark. +Create the bookmark. ### [New-AzSentinelBookmarkRelation](New-AzSentinelBookmarkRelation.md) -Creates the bookmark relation. +Create the bookmark relation. ### [New-AzSentinelDataConnector](New-AzSentinelDataConnector.md) Creates or updates the data connector. @@ -114,16 +114,16 @@ Creates or updates the data connector. Creates or updates the entity query. ### [New-AzSentinelIncident](New-AzSentinelIncident.md) -Creates or updates the incident. +Create the incident. ### [New-AzSentinelIncidentComment](New-AzSentinelIncidentComment.md) -Creates or updates the incident comment. +Create the incident comment. ### [New-AzSentinelIncidentRelation](New-AzSentinelIncidentRelation.md) -Creates or updates the incident relation. +Create the incident relation. ### [New-AzSentinelIncidentTeam](New-AzSentinelIncidentTeam.md) -Creates a Microsoft team to investigate the incident by sharing information and insights between participants. +Create a Microsoft team to investigate the incident by sharing information and insights between participants. ### [New-AzSentinelOnboardingState](New-AzSentinelOnboardingState.md) Create Sentinel onboarding state @@ -168,16 +168,16 @@ Get requirements state for a data connector type. Updates the alert rule. ### [Update-AzSentinelAlertRuleAction](Update-AzSentinelAlertRuleAction.md) -Creates or updates the action of alert rule. +Update the action of alert rule. ### [Update-AzSentinelAutomationRule](Update-AzSentinelAutomationRule.md) -Creates or updates the automation rule. +Update the automation rule. ### [Update-AzSentinelBookmark](Update-AzSentinelBookmark.md) -Creates or updates the bookmark. +Update the bookmark. ### [Update-AzSentinelBookmarkRelation](Update-AzSentinelBookmarkRelation.md) -Creates the bookmark relation. +Update the bookmark relation. ### [Update-AzSentinelDataConnector](Update-AzSentinelDataConnector.md) Updates the data connector. @@ -186,13 +186,16 @@ Updates the data connector. Updates the entity query. ### [Update-AzSentinelIncident](Update-AzSentinelIncident.md) -Creates or updates the incident. +Update the incident. ### [Update-AzSentinelIncidentComment](Update-AzSentinelIncidentComment.md) -Creates or updates the incident comment. +Update the incident comment. ### [Update-AzSentinelIncidentRelation](Update-AzSentinelIncidentRelation.md) -Creates or updates the incident relation. +Update the incident relation. + +### [Update-AzSentinelOnboardingState](Update-AzSentinelOnboardingState.md) +Update Sentinel onboarding state ### [Update-AzSentinelSetting](Update-AzSentinelSetting.md) Updates setting. diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelAlertRule.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelAlertRule.md index d88fae2c7bba..6832d2ec925f 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelAlertRule.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelAlertRule.md @@ -113,7 +113,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -197,7 +196,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAlertRule +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IAlertRule ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelAlertRuleAction.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelAlertRuleAction.md index 72e75fc020b1..a833d2524fc1 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelAlertRuleAction.md @@ -30,6 +30,12 @@ Get-AzSentinelAlertRuleAction -InputObject [-Default [] ``` +### GetViaIdentityAlertRule +``` +Get-AzSentinelAlertRuleAction -AlertRuleInputObject -Id + [-DefaultProfile ] [] +``` + ## DESCRIPTION Gets the action of alert rule. @@ -54,6 +60,21 @@ This command lists all Actions for a given Alert Rule. ## PARAMETERS +### -AlertRuleInputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentityAlertRule +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + ### -DefaultProfile The DefaultProfile parameter is not functional. Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription. @@ -75,7 +96,7 @@ Action ID ```yaml Type: System.String -Parameter Sets: Get +Parameter Sets: Get, GetViaIdentityAlertRule Aliases: ActionId Required: True @@ -87,7 +108,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -171,7 +191,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IActionResponse +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IActionResponse ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelAlertRuleTemplate.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelAlertRuleTemplate.md index cddb95aa6682..60d6708fe858 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelAlertRuleTemplate.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelAlertRuleTemplate.md @@ -114,7 +114,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -183,7 +182,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAlertRuleTemplate +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IAlertRuleTemplate ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelAutomationRule.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelAutomationRule.md index cb7607c2deb4..fe7c99c2e275 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelAutomationRule.md @@ -105,7 +105,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -174,7 +173,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRule +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IAutomationRule ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelBookmark.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelBookmark.md index 0fe583825b85..a32fa4d4a0cb 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelBookmark.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelBookmark.md @@ -103,7 +103,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -172,7 +171,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IBookmark ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelBookmarkRelation.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelBookmarkRelation.md index 160e332d5ea9..1c7d35f42820 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelBookmarkRelation.md @@ -31,6 +31,12 @@ Get-AzSentinelBookmarkRelation -InputObject [-Defaul [] ``` +### GetViaIdentityBookmark +``` +Get-AzSentinelBookmarkRelation -BookmarkInputObject -RelationName + [-DefaultProfile ] [] +``` + ## DESCRIPTION Gets a bookmark relation. @@ -93,6 +99,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -BookmarkInputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentityBookmark +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + ### -DefaultProfile The DefaultProfile parameter is not functional. Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription. @@ -127,7 +148,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -162,7 +182,7 @@ Relation Name ```yaml Type: System.String -Parameter Sets: Get +Parameter Sets: Get, GetViaIdentityBookmark Aliases: Required: True @@ -260,7 +280,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IRelation ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelDataConnector.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelDataConnector.md index a61d5e8fdc04..fb4d13552cf4 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelDataConnector.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelDataConnector.md @@ -102,7 +102,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -171,7 +170,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IDataConnector +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IDataConnector ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEnrichment.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEnrichment.md index 1f8c0537c973..a43d5964f528 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEnrichment.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEnrichment.md @@ -24,18 +24,6 @@ Get-AzSentinelEnrichment -ResourceGroupName -Domain [-Subscrip [-DefaultProfile ] [] ``` -### GetViaIdentity -``` -Get-AzSentinelEnrichment -InputObject -IPAddress - [-DefaultProfile ] [] -``` - -### GetViaIdentity1 -``` -Get-AzSentinelEnrichment -InputObject -Domain - [-DefaultProfile ] [] -``` - ## DESCRIPTION Get geodata for a single IP address @@ -107,7 +95,7 @@ Domain name to be enriched ```yaml Type: System.String -Parameter Sets: Get1, GetViaIdentity1 +Parameter Sets: Get1 Aliases: Required: True @@ -117,28 +105,12 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -InputObject -Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. - -```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity -Parameter Sets: GetViaIdentity, GetViaIdentity1 -Aliases: - -Required: True -Position: Named -Default value: None -Accept pipeline input: True (ByValue) -Accept wildcard characters: False -``` - ### -IPAddress IP address (v4 or v6) to be enriched ```yaml Type: System.String -Parameter Sets: Get, GetViaIdentity +Parameter Sets: Get Aliases: Required: True @@ -154,7 +126,7 @@ The name is case insensitive. ```yaml Type: System.String -Parameter Sets: Get, Get1 +Parameter Sets: (All) Aliases: Required: True @@ -169,7 +141,7 @@ The ID of the target subscription. ```yaml Type: System.String[] -Parameter Sets: Get, Get1 +Parameter Sets: (All) Aliases: Required: False @@ -184,13 +156,11 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## INPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity - ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEnrichmentDomainWhois +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IEnrichmentDomainWhois -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEnrichmentIPGeodata +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IEnrichmentIPGeodata ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntity.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntity.md index 78c778cb8f7e..a1ce78f8560f 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntity.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntity.md @@ -67,8 +67,8 @@ This command gets an Entity. ### Example 3: Get a Entity by object Id ```powershell - $Entitys = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" - $Entitys[0] | Get-AzSentinelEntity + $Entities = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + $Entities[0] | Get-AzSentinelEntity ``` ```output @@ -127,7 +127,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -196,7 +195,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntity +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IEntity ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityActivity.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityActivity.md index bfb7275e5c59..040e88c67073 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityActivity.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityActivity.md @@ -12,11 +12,18 @@ Get Insights and Activities for an entity. ## SYNTAX +### Queries (Default) ``` Get-AzSentinelEntityActivity -EntityId -ResourceGroupName -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [] ``` +### QueriesViaIdentity +``` +Get-AzSentinelEntityActivity -InputObject [-DefaultProfile ] + [] +``` + ## DESCRIPTION Get Insights and Activities for an entity. @@ -74,7 +81,7 @@ entity ID ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: Queries Aliases: Required: True @@ -84,13 +91,28 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -InputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: QueriesViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + ### -ResourceGroupName The name of the resource group. The name is case insensitive. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: Queries Aliases: Required: True @@ -105,7 +127,7 @@ The ID of the target subscription. ```yaml Type: System.String[] -Parameter Sets: (All) +Parameter Sets: Queries Aliases: Required: False @@ -120,7 +142,7 @@ The name of the workspace. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: Queries Aliases: Required: True @@ -135,9 +157,11 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## INPUTS +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityQueryItem +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IGetQueriesResponse ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityInsight.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityInsight.md index dd05ca0a7e69..27b0d9d36830 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityInsight.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityInsight.md @@ -12,12 +12,20 @@ Execute Insights for an entity. ## SYNTAX +### GetExpanded (Default) ``` Get-AzSentinelEntityInsight -EntityId -ResourceGroupName -WorkspaceName -EndTime -StartTime [-SubscriptionId ] [-AddDefaultExtendedTimeRange] [-InsightQueryId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` +### GetViaIdentityExpanded +``` +Get-AzSentinelEntityInsight -InputObject -EndTime -StartTime + [-AddDefaultExtendedTimeRange] [-InsightQueryId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + ## DESCRIPTION Execute Insights for an entity. @@ -44,7 +52,7 @@ This command gets insights for an Entity for a given time range. ```powershell $startTime = (Get-Date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" $endTime = (Get-Date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" - $Entity = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "8d036a2d-f37d-e936-6cca-4e172687cb79" + $Entity = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "00001111-aaaa-2222-bbbb-3333cccc4444" $Entity | Get-AzSentinelEntityInsight -EndTime $endTime -StartTime $startTime ``` @@ -112,7 +120,7 @@ entity ID ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: GetExpanded Aliases: Required: True @@ -122,6 +130,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -InputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentityExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + ### -InsightQueryId List of Insights Query Id. If empty, default value is all insights of this entity @@ -144,7 +167,7 @@ The name is case insensitive. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: GetExpanded Aliases: Required: True @@ -174,7 +197,7 @@ The ID of the target subscription. ```yaml Type: System.String[] -Parameter Sets: (All) +Parameter Sets: GetExpanded Aliases: Required: False @@ -189,7 +212,7 @@ The name of the workspace. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: GetExpanded Aliases: Required: True @@ -235,9 +258,11 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## INPUTS +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityGetInsightsResponse +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IEntityGetInsightsResponse ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityQuery.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityQuery.md index 1ba6c7d485de..e795898575c8 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityQuery.md @@ -132,7 +132,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -216,7 +215,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityQuery +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IEntityQuery ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityQueryTemplate.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityQueryTemplate.md index d639fd432785..782e36c02541 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityQueryTemplate.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityQueryTemplate.md @@ -120,7 +120,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -204,7 +203,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityQueryTemplate +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IEntityQueryTemplate ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityRelation.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityRelation.md index ee86f37000fd..c3a21e944fb9 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityRelation.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityRelation.md @@ -31,6 +31,12 @@ Get-AzSentinelEntityRelation -InputObject [-DefaultP [] ``` +### GetViaIdentityEntity +``` +Get-AzSentinelEntityRelation -EntityInputObject -RelationName + [-DefaultProfile ] [] +``` + ## DESCRIPTION Gets an entity relation. @@ -91,6 +97,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -EntityInputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentityEntity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + ### -Filter Filters the results, based on a Boolean condition. Optional. @@ -109,7 +130,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -144,7 +164,7 @@ Relation Name ```yaml Type: System.String -Parameter Sets: Get +Parameter Sets: Get, GetViaIdentityEntity Aliases: Required: True @@ -242,7 +262,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IRelation ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityTimeline.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityTimeline.md index f022e6f10d43..d8ed38859874 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityTimeline.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelEntityTimeline.md @@ -14,7 +14,7 @@ Timeline for an entity. ``` Get-AzSentinelEntityTimeline -EntityId -ResourceGroupName -WorkspaceName - -EndTime -StartTime [-SubscriptionId ] [-Kind ] + -EndTime -StartTime [-SubscriptionId ] [-Kind ] [-NumberOfBucket ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` @@ -95,7 +95,7 @@ Accept wildcard characters: False Array of timeline Item kinds. ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityTimelineKind[] +Type: System.String[] Parameter Sets: (All) Aliases: @@ -220,7 +220,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityTimelineResponse +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IEntityTimelineResponse ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncident.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncident.md index c15c3e2801ab..b73e28cebb70 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncident.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncident.md @@ -121,7 +121,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -239,7 +238,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncident +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IIncident ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentAlert.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentAlert.md index fe0ec5b53713..784a1ea4d6fa 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentAlert.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentAlert.md @@ -158,7 +158,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISecurityAlert +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IIncidentAlertList ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentBookmark.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentBookmark.md index 4cdfbcc80e8e..108d374ca4a2 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentBookmark.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentBookmark.md @@ -157,7 +157,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IHuntingBookmark +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IIncidentBookmarkList ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentComment.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentComment.md index 2f4e84b54292..9597b300759f 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentComment.md @@ -31,6 +31,12 @@ Get-AzSentinelIncidentComment -InputObject [-Default [] ``` +### GetViaIdentityIncident +``` +Get-AzSentinelIncidentComment -Id -IncidentInputObject + [-DefaultProfile ] [] +``` + ## DESCRIPTION Gets an incident comment. @@ -108,7 +114,7 @@ Incident comment ID ```yaml Type: System.String -Parameter Sets: Get +Parameter Sets: Get, GetViaIdentityIncident Aliases: IncidentCommentId Required: True @@ -133,9 +139,23 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -IncidentInputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentityIncident +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -253,7 +273,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentComment +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IIncidentComment ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentEntity.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentEntity.md index 09dee1c030a6..9344a6ccefb6 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentEntity.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentEntity.md @@ -152,7 +152,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentEntitiesResponse +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IIncidentEntitiesResponse ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentRelation.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentRelation.md index 5d6dea9d95c1..46c7943370f2 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelIncidentRelation.md @@ -31,6 +31,12 @@ Get-AzSentinelIncidentRelation -InputObject [-Defaul [] ``` +### GetViaIdentityIncident +``` +Get-AzSentinelIncidentRelation -IncidentInputObject -RelationName + [-DefaultProfile ] [] +``` + ## DESCRIPTION Gets an incident relation. @@ -133,9 +139,23 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -IncidentInputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentityIncident +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -170,7 +190,7 @@ Relation Name ```yaml Type: System.String -Parameter Sets: Get +Parameter Sets: Get, GetViaIdentityIncident Aliases: Required: True @@ -268,7 +288,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IRelation ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelMetadata.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelMetadata.md index 8e9b08aa8d3b..5f4fd125003a 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelMetadata.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelMetadata.md @@ -85,7 +85,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -217,7 +216,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IMetadataModel +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IMetadataModel ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelOnboardingState.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelOnboardingState.md index bfdc0c6f797e..c0dd1bd67aac 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelOnboardingState.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelOnboardingState.md @@ -79,7 +79,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -164,7 +163,9 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISentinelOnboardingState +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISentinelOnboardingState + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISentinelOnboardingStatesList ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelSetting.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelSetting.md index 480f11433513..3f109891f75f 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelSetting.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelSetting.md @@ -110,7 +110,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -195,7 +194,9 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISettings +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISettingList + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISettings ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelThreatIntelligenceIndicator.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelThreatIntelligenceIndicator.md index 49b471e887e5..bad69c7ce86b 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelThreatIntelligenceIndicator.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelThreatIntelligenceIndicator.md @@ -117,7 +117,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -250,7 +249,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IThreatIntelligenceInformation +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IThreatIntelligenceInformation ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelThreatIntelligenceIndicatorMetric.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelThreatIntelligenceIndicatorMetric.md index db28e0be3015..e5ffc8989b38 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelThreatIntelligenceIndicatorMetric.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Get-AzSentinelThreatIntelligenceIndicatorMetric.md @@ -107,7 +107,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IThreatIntelligenceMetrics +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IThreatIntelligenceMetricsList ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md index 2302e83c5f64..3db8eab7b1f1 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md @@ -12,6 +12,7 @@ Query threat intelligence indicators as per filtering criteria. ## SYNTAX +### QueryExpanded (Default) ``` Invoke-AzSentinelThreatIntelligenceIndicatorQuery -ResourceGroupName -WorkspaceName [-SubscriptionId ] [-Id ] [-IncludeDisabled] [-Keyword ] [-MaxConfidence ] @@ -21,6 +22,29 @@ Invoke-AzSentinelThreatIntelligenceIndicatorQuery -ResourceGroupName -W [] ``` +### QueryViaIdentityExpanded +``` +Invoke-AzSentinelThreatIntelligenceIndicatorQuery -InputObject [-Id ] + [-IncludeDisabled] [-Keyword ] [-MaxConfidence ] [-MaxValidUntil ] + [-MinConfidence ] [-MinValidUntil ] [-PageSize ] [-PatternType ] + [-SkipToken ] [-SortBy ] [-Source ] + [-ThreatType ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +### QueryViaJsonFilePath +``` +Invoke-AzSentinelThreatIntelligenceIndicatorQuery -ResourceGroupName -WorkspaceName + -JsonFilePath [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +### QueryViaJsonString +``` +Invoke-AzSentinelThreatIntelligenceIndicatorQuery -ResourceGroupName -WorkspaceName + -JsonString [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + ## DESCRIPTION Query threat intelligence indicators as per filtering criteria. @@ -62,7 +86,7 @@ Ids of threat intelligence indicators ```yaml Type: System.String[] -Parameter Sets: (All) +Parameter Sets: QueryExpanded, QueryViaIdentityExpanded Aliases: Required: False @@ -77,7 +101,7 @@ Parameter to include/exclude disabled indicators. ```yaml Type: System.Management.Automation.SwitchParameter -Parameter Sets: (All) +Parameter Sets: QueryExpanded, QueryViaIdentityExpanded Aliases: Required: False @@ -87,12 +111,57 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -InputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: QueryViaIdentityExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -JsonFilePath +Path of Json file supplied to the Query operation + +```yaml +Type: System.String +Parameter Sets: QueryViaJsonFilePath +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -JsonString +Json string supplied to the Query operation + +```yaml +Type: System.String +Parameter Sets: QueryViaJsonString +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -Keyword Keywords for searching threat intelligence indicators ```yaml Type: System.String[] -Parameter Sets: (All) +Parameter Sets: QueryExpanded, QueryViaIdentityExpanded Aliases: Required: False @@ -107,7 +176,7 @@ Maximum confidence. ```yaml Type: System.Int32 -Parameter Sets: (All) +Parameter Sets: QueryExpanded, QueryViaIdentityExpanded Aliases: Required: False @@ -122,7 +191,7 @@ End time for ValidUntil filter. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: QueryExpanded, QueryViaIdentityExpanded Aliases: Required: False @@ -137,7 +206,7 @@ Minimum confidence. ```yaml Type: System.Int32 -Parameter Sets: (All) +Parameter Sets: QueryExpanded, QueryViaIdentityExpanded Aliases: Required: False @@ -152,7 +221,7 @@ Start time for ValidUntil filter. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: QueryExpanded, QueryViaIdentityExpanded Aliases: Required: False @@ -167,7 +236,7 @@ Page size ```yaml Type: System.Int32 -Parameter Sets: (All) +Parameter Sets: QueryExpanded, QueryViaIdentityExpanded Aliases: Required: False @@ -182,7 +251,7 @@ Pattern types ```yaml Type: System.String[] -Parameter Sets: (All) +Parameter Sets: QueryExpanded, QueryViaIdentityExpanded Aliases: Required: False @@ -198,7 +267,7 @@ The name is case insensitive. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: QueryExpanded, QueryViaJsonFilePath, QueryViaJsonString Aliases: Required: True @@ -213,7 +282,7 @@ Skip token. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: QueryExpanded, QueryViaIdentityExpanded Aliases: Required: False @@ -225,11 +294,10 @@ Accept wildcard characters: False ### -SortBy Columns to sort by and sorting order -To construct, see NOTES section for SORTBY properties and create a hash table. ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IThreatIntelligenceSortingCriteria[] -Parameter Sets: (All) +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IThreatIntelligenceSortingCriteria[] +Parameter Sets: QueryExpanded, QueryViaIdentityExpanded Aliases: Required: False @@ -244,7 +312,7 @@ Sources of threat intelligence indicators ```yaml Type: System.String[] -Parameter Sets: (All) +Parameter Sets: QueryExpanded, QueryViaIdentityExpanded Aliases: Required: False @@ -259,7 +327,7 @@ The ID of the target subscription. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: QueryExpanded, QueryViaJsonFilePath, QueryViaJsonString Aliases: Required: False @@ -274,7 +342,7 @@ Threat types of threat intelligence indicators ```yaml Type: System.String[] -Parameter Sets: (All) +Parameter Sets: QueryExpanded, QueryViaIdentityExpanded Aliases: Required: False @@ -289,7 +357,7 @@ The name of the workspace. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: QueryExpanded, QueryViaJsonFilePath, QueryViaJsonString Aliases: Required: True @@ -335,9 +403,11 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## INPUTS +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IThreatIntelligenceInformation +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IThreatIntelligenceInformation ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelAlertRule.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelAlertRule.md index cd5453b81089..85f70988ba8f 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelAlertRule.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelAlertRule.md @@ -15,27 +15,27 @@ Creates the alert rule. ### FusionMLTI (Default) ``` New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName -AlertRuleTemplate - -Kind [-RuleId ] [-SubscriptionId ] [-Enabled] [-DefaultProfile ] - [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + -Kind [-RuleId ] [-SubscriptionId ] [-Enabled] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### MicrosoftSecurityIncidentCreation ``` -New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName -Kind - -ProductFilter [-RuleId ] [-SubscriptionId ] - [-AlertRuleTemplateName ] [-Description ] [-DisplayNamesExcludeFilter ] - [-DisplayNamesFilter ] [-Enabled] [-SeveritiesFilter ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName -Kind + -ProductFilter [-RuleId ] [-SubscriptionId ] [-AlertRuleTemplateName ] + [-Description ] [-DisplayNamesExcludeFilter ] [-DisplayNamesFilter ] [-Enabled] + [-SeveritiesFilter ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] ``` ### NRT ``` New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName -DisplayName - -Kind -Query -Severity [-RuleId ] [-SubscriptionId ] + -Kind -Query -Severity [-RuleId ] [-SubscriptionId ] [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] [-CreateIncident] - [-Description ] [-Enabled] [-EntityMapping ] [-GroupByAlertDetail ] - [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] + [-Description ] [-Enabled] [-EntityMapping ] [-GroupByAlertDetail ] + [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] [-LookbackDuration ] [-MatchingMethod ] [-ReOpenClosedIncident] [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] @@ -44,13 +44,13 @@ New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName -Dis ### Scheduled ``` New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName -DisplayName - -Kind -Query -QueryFrequency -QueryPeriod - -Severity -TriggerOperator -TriggerThreshold [-RuleId ] - [-SubscriptionId ] [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] - [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] - [-CreateIncident] [-Description ] [-Enabled] [-EntityMapping ] - [-EventGroupingSettingAggregationKind ] [-GroupByAlertDetail ] - [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] + -Kind -Query -QueryFrequency -QueryPeriod -Severity + -TriggerOperator -TriggerThreshold [-RuleId ] [-SubscriptionId ] + [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] + [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] [-CreateIncident] + [-Description ] [-Enabled] [-EntityMapping ] + [-EventGroupingSettingAggregationKind ] [-GroupByAlertDetail ] + [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] [-LookbackDuration ] [-MatchingMethod ] [-ReOpenClosedIncident] [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] @@ -95,7 +95,7 @@ This command creates an Alert Rule of the MicrosoftSecurityIncidentCreation kind ### Example 5: Create a Scheduled Alert Rule ```powershell -New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind Scheduled -Enabled -DisplayName "Powershell Exection Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventId == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10 +New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind Scheduled -Enabled -DisplayName "Powershell Execution Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventID == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10 ``` This command creates an Alert Rule of the Scheduled kind. @@ -323,10 +323,9 @@ Accept wildcard characters: False ### -EntityMapping 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' -To construct, see NOTES section for ENTITYMAPPING properties and create a hash table. ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.EntityMapping[] Parameter Sets: NRT, Scheduled Aliases: @@ -341,7 +340,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind +Type: System.String Parameter Sets: Scheduled Aliases: @@ -356,7 +355,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail[] +Type: System.String[] Parameter Sets: NRT, Scheduled Aliases: @@ -386,7 +385,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[] +Type: System.String[] Parameter Sets: NRT, Scheduled Aliases: @@ -416,7 +415,7 @@ Accept wildcard characters: False Kind of the the data connection ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertRuleKind +Type: System.String Parameter Sets: (All) Aliases: @@ -476,7 +475,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName +Type: System.String Parameter Sets: MicrosoftSecurityIncidentCreation Aliases: @@ -582,7 +581,7 @@ Accept wildcard characters: False High, Medium, Low, Informational ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity[] +Type: System.String[] Parameter Sets: MicrosoftSecurityIncidentCreation Aliases: @@ -597,7 +596,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity +Type: System.String Parameter Sets: NRT, Scheduled Aliases: @@ -655,7 +654,6 @@ Accept wildcard characters: False ``` ### -Tactic -[Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic] InitialAccess, Execution, Persistence, PrivilegeEscalation, DefenseEvasion, CredentialAccess, Discovery, LateralMovement, Collection, Exfiltration, CommandAndControl, Impact, PreAttack ```yaml @@ -674,7 +672,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator +Type: System.String Parameter Sets: Scheduled Aliases: @@ -753,7 +751,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AlertRule +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.AlertRule ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelAlertRuleAction.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelAlertRuleAction.md index ba345cd7e57c..ab6f116f68f0 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelAlertRuleAction.md @@ -8,18 +8,40 @@ schema: 2.0.0 # New-AzSentinelAlertRuleAction ## SYNOPSIS -Creates or updates the action of alert rule. +Create the action of alert rule. ## SYNTAX +### CreateExpanded (Default) ``` New-AzSentinelAlertRuleAction -ResourceGroupName -RuleId -WorkspaceName [-Id ] [-SubscriptionId ] [-LogicAppResourceId ] [-TriggerUri ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` +### CreateViaIdentityAlertRuleExpanded +``` +New-AzSentinelAlertRuleAction -AlertRuleInputObject [-Id ] + [-LogicAppResourceId ] [-TriggerUri ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +### CreateViaJsonFilePath +``` +New-AzSentinelAlertRuleAction -ResourceGroupName -RuleId -WorkspaceName + -JsonFilePath [-Id ] [-SubscriptionId ] [-DefaultProfile ] [-Confirm] + [-WhatIf] [] +``` + +### CreateViaJsonString +``` +New-AzSentinelAlertRuleAction -ResourceGroupName -RuleId -WorkspaceName + -JsonString [-Id ] [-SubscriptionId ] [-DefaultProfile ] [-Confirm] + [-WhatIf] [] +``` + ## DESCRIPTION -Creates or updates the action of alert rule. +Create the action of alert rule. ## EXAMPLES @@ -34,6 +56,21 @@ This command adds an existing Logic App Playbook to an existing analytics rule ## PARAMETERS +### -AlertRuleInputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: CreateViaIdentityAlertRuleExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + ### -DefaultProfile The DefaultProfile parameter is not functional. Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription. @@ -65,12 +102,42 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -JsonFilePath +Path of Json file supplied to the Create operation + +```yaml +Type: System.String +Parameter Sets: CreateViaJsonFilePath +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -JsonString +Json string supplied to the Create operation + +```yaml +Type: System.String +Parameter Sets: CreateViaJsonString +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -LogicAppResourceId Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateExpanded, CreateViaIdentityAlertRuleExpanded Aliases: Required: False @@ -86,7 +153,7 @@ The name is case insensitive. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateExpanded, CreateViaJsonFilePath, CreateViaJsonString Aliases: Required: True @@ -101,7 +168,7 @@ Alert rule ID ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateExpanded, CreateViaJsonFilePath, CreateViaJsonString Aliases: Required: True @@ -116,7 +183,7 @@ The ID of the target subscription. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateExpanded, CreateViaJsonFilePath, CreateViaJsonString Aliases: Required: False @@ -131,7 +198,7 @@ Logic App Callback URL for this specific workflow. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateExpanded, CreateViaIdentityAlertRuleExpanded Aliases: Required: False @@ -146,7 +213,7 @@ The name of the workspace. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateExpanded, CreateViaJsonFilePath, CreateViaJsonString Aliases: Required: True @@ -192,9 +259,11 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## INPUTS +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IActionResponse +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IActionResponse ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelAutomationRule.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelAutomationRule.md index d64ec4ce81fa..2ba6154ba7e7 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelAutomationRule.md @@ -8,7 +8,7 @@ schema: 2.0.0 # New-AzSentinelAutomationRule ## SYNOPSIS -Creates or updates the automation rule. +Create the automation rule. ## SYNTAX @@ -20,22 +20,29 @@ New-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName [-TriggeringLogicIsEnabled] [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` -### Create +### CreateViaJsonFilePath ``` -New-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName - -AutomationRule [-Id ] [-SubscriptionId ] [-DefaultProfile ] - [-Confirm] [-WhatIf] [] +New-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName -JsonFilePath + [-Id ] [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +### CreateViaJsonString +``` +New-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName -JsonString + [-Id ] [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] ``` ## DESCRIPTION -Creates or updates the automation rule. +Create the automation rule. ## EXAMPLES ### Example 1: Create an Automation Rule using Run Playbook ```powershell $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myResourceGroup" -Name "Reset-AADPassword" - $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.AutomationRuleRunPlaybookAction]::new() $automationRuleAction.Order = 1 $automationRuleAction.ActionType = "RunPlaybook" $automationRuleAction.ActionConfigurationLogicAppResourceId = ($LogicAppResourceId.Id) @@ -47,7 +54,7 @@ This command creates an Automation Rule that has an Action of Run Playbook. ### Example 2: Creates an Automation Rule that has an Action of changing the severity ```powershell - $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleModifyPropertiesAction]::new() + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.AutomationRuleModifyPropertiesAction]::new() $automationRuleAction.Order = 1 $automationRuleAction.ActionType = "ModifyProperties" $automationRuleAction.ActionConfigurationSeverity = "Low" @@ -60,10 +67,9 @@ This command creates an Automation Rule that has an Action of changing the sever ### -Action The actions to execute when the automation rule is triggered -To construct, see NOTES section for ACTION properties and create a hash table. ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRuleAction[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IAutomationRuleAction[] Parameter Sets: CreateExpanded Aliases: @@ -74,22 +80,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -AutomationRule -Represents an automation rule. -To construct, see NOTES section for AUTOMATIONRULE properties and create a hash table. - -```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRule -Parameter Sets: Create -Aliases: - -Required: True -Position: Named -Default value: None -Accept pipeline input: True (ByValue) -Accept wildcard characters: False -``` - ### -DefaultProfile The DefaultProfile parameter is not functional. Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription. @@ -136,6 +126,36 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -JsonFilePath +Path of Json file supplied to the Create operation + +```yaml +Type: System.String +Parameter Sets: CreateViaJsonFilePath +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -JsonString +Json string supplied to the Create operation + +```yaml +Type: System.String +Parameter Sets: CreateViaJsonString +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -Order The order of execution of the automation rule @@ -186,7 +206,7 @@ Accept wildcard characters: False The conditions to evaluate to determine if the automation rule should be triggered on a given object ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRuleCondition[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IAutomationRuleCondition[] Parameter Sets: CreateExpanded Aliases: @@ -278,11 +298,9 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## INPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRule - ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRule +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IAutomationRule ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelBookmark.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelBookmark.md index f25c8e4ae6a5..a2983a4669ad 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelBookmark.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelBookmark.md @@ -8,7 +8,7 @@ schema: 2.0.0 # New-AzSentinelBookmark ## SYNOPSIS -Creates or updates the bookmark. +Create the bookmark. ## SYNTAX @@ -16,20 +16,27 @@ Creates or updates the bookmark. ``` New-AzSentinelBookmark -ResourceGroupName -WorkspaceName [-Id ] [-SubscriptionId ] [-DisplayName ] [-EventTime ] [-IncidentInfoIncidentId ] - [-IncidentInfoRelationName ] [-IncidentInfoSeverity ] [-IncidentInfoTitle ] + [-IncidentInfoRelationName ] [-IncidentInfoSeverity ] [-IncidentInfoTitle ] [-Label ] [-Note ] [-Query ] [-QueryEndTime ] [-QueryResult ] - [-QueryStartTime ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] + [-QueryStartTime ] [-UpdatedByEmail ] [-UpdatedByName ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` -### Create +### CreateViaJsonFilePath ``` -New-AzSentinelBookmark -ResourceGroupName -WorkspaceName -Bookmark +New-AzSentinelBookmark -ResourceGroupName -WorkspaceName -JsonFilePath [-Id ] [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` +### CreateViaJsonString +``` +New-AzSentinelBookmark -ResourceGroupName -WorkspaceName -JsonString [-Id ] + [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + ## DESCRIPTION -Creates or updates the bookmark. +Create the bookmark. ## EXAMPLES @@ -52,22 +59,6 @@ This command creates a Bookmark. ## PARAMETERS -### -Bookmark -Represents a bookmark in Azure Security Insights. -To construct, see NOTES section for BOOKMARK properties and create a hash table. - -```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark -Parameter Sets: Create -Aliases: - -Required: True -Position: Named -Default value: None -Accept pipeline input: True (ByValue) -Accept wildcard characters: False -``` - ### -DefaultProfile The DefaultProfile parameter is not functional. Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription. @@ -163,7 +154,7 @@ Accept wildcard characters: False The severity of the incident ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentSeverity +Type: System.String Parameter Sets: CreateExpanded Aliases: @@ -189,6 +180,36 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -JsonFilePath +Path of Json file supplied to the Create operation + +```yaml +Type: System.String +Parameter Sets: CreateViaJsonFilePath +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -JsonString +Json string supplied to the Create operation + +```yaml +Type: System.String +Parameter Sets: CreateViaJsonString +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -Label List of labels relevant to this bookmark @@ -310,6 +331,36 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -UpdatedByEmail +The email of the user. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UpdatedByName +The name of the user. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -WorkspaceName The name of the workspace. @@ -361,11 +412,9 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## INPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark - ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IBookmark ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelBookmarkRelation.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelBookmarkRelation.md index 3bcbe2d64bab..e4987b69e747 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelBookmarkRelation.md @@ -8,7 +8,7 @@ schema: 2.0.0 # New-AzSentinelBookmarkRelation ## SYNOPSIS -Creates the bookmark relation. +Create the bookmark relation. ## SYNTAX @@ -19,15 +19,28 @@ New-AzSentinelBookmarkRelation -BookmarkId -ResourceGroupName [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` -### Create +### CreateViaIdentityBookmarkExpanded +``` +New-AzSentinelBookmarkRelation -BookmarkInputObject [-RelationName ] + [-RelatedResourceId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +### CreateViaJsonFilePath ``` New-AzSentinelBookmarkRelation -BookmarkId -ResourceGroupName -WorkspaceName - -Relation [-RelationName ] [-SubscriptionId ] [-DefaultProfile ] + -JsonFilePath [-RelationName ] [-SubscriptionId ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + +### CreateViaJsonString +``` +New-AzSentinelBookmarkRelation -BookmarkId -ResourceGroupName -WorkspaceName + -JsonString [-RelationName ] [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` ## DESCRIPTION -Creates the bookmark relation. +Create the bookmark relation. ## EXAMPLES @@ -46,7 +59,7 @@ Bookmark ID ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateExpanded, CreateViaJsonFilePath, CreateViaJsonString Aliases: Required: True @@ -56,6 +69,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -BookmarkInputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: CreateViaIdentityBookmarkExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + ### -DefaultProfile The DefaultProfile parameter is not functional. Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription. @@ -72,34 +100,48 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -RelatedResourceId -The resource ID of the related resource +### -JsonFilePath +Path of Json file supplied to the Create operation ```yaml Type: System.String -Parameter Sets: CreateExpanded +Parameter Sets: CreateViaJsonFilePath Aliases: -Required: False +Required: True Position: Named Default value: None Accept pipeline input: False Accept wildcard characters: False ``` -### -Relation -Represents a relation between two resources -To construct, see NOTES section for RELATION properties and create a hash table. +### -JsonString +Json string supplied to the Create operation ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation -Parameter Sets: Create +Type: System.String +Parameter Sets: CreateViaJsonString Aliases: Required: True Position: Named Default value: None -Accept pipeline input: True (ByValue) +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelatedResourceId +The resource ID of the related resource + +```yaml +Type: System.String +Parameter Sets: CreateExpanded, CreateViaIdentityBookmarkExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False Accept wildcard characters: False ``` @@ -124,7 +166,7 @@ The name is case insensitive. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateExpanded, CreateViaJsonFilePath, CreateViaJsonString Aliases: Required: True @@ -139,7 +181,7 @@ The ID of the target subscription. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateExpanded, CreateViaJsonFilePath, CreateViaJsonString Aliases: Required: False @@ -154,7 +196,7 @@ The name of the workspace. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateExpanded, CreateViaJsonFilePath, CreateViaJsonString Aliases: Required: True @@ -200,11 +242,11 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## INPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IRelation ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelDataConnector.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelDataConnector.md index 7c5d7703cf38..5bd149fbfbd2 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelDataConnector.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelDataConnector.md @@ -14,22 +14,22 @@ Creates or updates the data connector. ### AADAATP (Default) ``` -New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-Id ] [-SubscriptionId ] [-Alerts ] [-TenantId ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind [-Id ] + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### AmazonWebServicesCloudTrail ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -AWSRoleArn - -Kind [-Id ] [-SubscriptionId ] [-Log ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + -Kind [-Id ] [-SubscriptionId ] [-Log ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### AmazonWebServicesS3 ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -AWSRoleArn - -DetinationTable -Kind -Log -SQSURL [-Id ] + -DetinationTable -Kind -Log -SQSURL [-Id ] [-SubscriptionId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -37,96 +37,95 @@ New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName ### AzureSecurityCenter ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -ASCSubscriptionId - -Kind [-Id ] [-SubscriptionId ] [-Alerts ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + -Kind [-Id ] [-SubscriptionId ] [-Alerts ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### Dynamics365 ``` -New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-Id ] [-SubscriptionId ] [-CommonDataServiceActivity ] [-TenantId ] +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind [-Id ] + [-SubscriptionId ] [-CommonDataServiceActivity ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### GenericUI ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName - -AvailabilityIsPreview -Kind - -UiConfigConnectivityCriterion -UiConfigDataType - -UiConfigDescriptionMarkdown -UiConfigGraphQueriesTableName - -UiConfigGraphQuery -UiConfigInstructionStep - -UiConfigPublisher -UiConfigSampleQuery -UiConfigTitle [-Id ] - [-SubscriptionId ] [-AvailabilityStatus ] [-PermissionCustom ] + -AvailabilityIsPreview -Kind -UiConfigConnectivityCriterion + -UiConfigDataType -UiConfigDescriptionMarkdown + -UiConfigGraphQueriesTableName -UiConfigGraphQuery + -UiConfigInstructionStep -UiConfigPublisher + -UiConfigSampleQuery -UiConfigTitle [-Id ] [-SubscriptionId ] + [-AvailabilityStatus ] [-PermissionCustom ] [-PermissionResourceProvider ] [-UiConfigCustomImage ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### MicrosoftCloudAppSecurity ``` -New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-Id ] [-SubscriptionId ] [-Alerts ] [-DiscoveryLog ] [-TenantId ] +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind [-Id ] + [-SubscriptionId ] [-Alerts ] [-DiscoveryLog ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### MicrosoftDefenderAdvancedThreatProtection ``` -New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-Id ] [-SubscriptionId ] [-Alerts ] [-TenantId ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind [-Id ] + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### MicrosoftThreatIntelligence ``` -New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-Id ] [-SubscriptionId ] [-BingSafetyPhishingURL ] - [-BingSafetyPhishingUrlLookbackPeriod ] [-MicrosoftEmergingThreatFeed ] - [-MicrosoftEmergingThreatFeedLookbackPeriod ] [-TenantId ] [-DefaultProfile ] - [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind [-Id ] + [-SubscriptionId ] [-BingSafetyPhishingURL ] [-BingSafetyPhishingUrlLookbackPeriod ] + [-MicrosoftEmergingThreatFeed ] [-MicrosoftEmergingThreatFeedLookbackPeriod ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] ``` ### MicrosoftThreatProtection ``` -New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-Id ] [-SubscriptionId ] [-Incident ] [-TenantId ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind [-Id ] + [-SubscriptionId ] [-Incident ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### Office365 ``` -New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-Id ] [-SubscriptionId ] [-Exchange ] [-SharePoint ] [-Teams ] - [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] - [] +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind [-Id ] + [-SubscriptionId ] [-Exchange ] [-SharePoint ] [-Teams ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### OfficeATP ``` -New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-Id ] [-SubscriptionId ] [-Alerts ] [-TenantId ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind [-Id ] + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### OfficeIRM ``` -New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-Id ] [-SubscriptionId ] [-Alerts ] [-TenantId ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind [-Id ] + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### ThreatIntelligence ``` -New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-Id ] [-SubscriptionId ] [-Indicator ] [-TenantId ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind [-Id ] + [-SubscriptionId ] [-Indicator ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### ThreatIntelligenceTaxii ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -APIRootURL - -CollectionId -FriendlyName -Kind -PollingFrequency - -WorkspaceId [-Id ] [-SubscriptionId ] [-Password ] - [-TaxiiLookbackPeriod ] [-TenantId ] [-UserName ] [-DefaultProfile ] - [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + -CollectionId -FriendlyName -Kind -PollingFrequency -WorkspaceId + [-Id ] [-SubscriptionId ] [-Password ] [-TaxiiLookbackPeriod ] + [-TenantId ] [-UserName ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] + [-WhatIf] [] ``` ## DESCRIPTION @@ -432,7 +431,7 @@ Accept wildcard characters: False Kind of the the data connection ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind +Type: System.String Parameter Sets: (All) Aliases: @@ -520,10 +519,9 @@ Accept wildcard characters: False ### -PermissionCustom [Parameter(ParameterSetName = 'APIPolling')] -To construct, see NOTES section for PERMISSIONCUSTOM properties and create a hash table. ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsCustomsItem[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.PermissionsCustomsItem[] Parameter Sets: GenericUI Aliases: @@ -536,10 +534,9 @@ Accept wildcard characters: False ### -PermissionResourceProvider [Parameter(ParameterSetName = 'APIPolling')] -To construct, see NOTES section for PERMISSIONRESOURCEPROVIDER properties and create a hash table. ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsResourceProviderItem[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.PermissionsResourceProviderItem[] Parameter Sets: GenericUI Aliases: @@ -554,7 +551,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency +Type: System.String Parameter Sets: ThreatIntelligenceTaxii Aliases: @@ -673,10 +670,9 @@ Accept wildcard characters: False ### -UiConfigConnectivityCriterion [Parameter(ParameterSetName = 'APIPolling', Mandatory)] -To construct, see NOTES section for UICONFIGCONNECTIVITYCRITERION properties and create a hash table. ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ConnectivityCriteria[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ConnectivityCriteria[] Parameter Sets: GenericUI Aliases: @@ -704,10 +700,9 @@ Accept wildcard characters: False ### -UiConfigDataType [Parameter(ParameterSetName = 'APIPolling', Mandatory)] -To construct, see NOTES section for UICONFIGDATATYPE properties and create a hash table. ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.LastDataReceivedDataType[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.LastDataReceivedDataType[] Parameter Sets: GenericUI Aliases: @@ -750,10 +745,9 @@ Accept wildcard characters: False ### -UiConfigGraphQuery [Parameter(ParameterSetName = 'APIPolling', Mandatory)] -To construct, see NOTES section for UICONFIGGRAPHQUERY properties and create a hash table. ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.GraphQueries[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.GraphQueries[] Parameter Sets: GenericUI Aliases: @@ -766,10 +760,9 @@ Accept wildcard characters: False ### -UiConfigInstructionStep [Parameter(ParameterSetName = 'APIPolling', Mandatory)] -To construct, see NOTES section for UICONFIGINSTRUCTIONSTEP properties and create a hash table. ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.InstructionSteps[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.InstructionSteps[] Parameter Sets: GenericUI Aliases: @@ -797,10 +790,9 @@ Accept wildcard characters: False ### -UiConfigSampleQuery [Parameter(ParameterSetName = 'APIPolling', Mandatory)] -To construct, see NOTES section for UICONFIGSAMPLEQUERY properties and create a hash table. ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.SampleQueries[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.SampleQueries[] Parameter Sets: GenericUI Aliases: @@ -909,7 +901,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnector +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.DataConnector ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelEntityQuery.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelEntityQuery.md index 375ca2bed2e4..54a174a8788d 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelEntityQuery.md @@ -14,11 +14,10 @@ Creates or updates the entity query. ``` New-AzSentinelEntityQuery -ResourceGroupName -WorkspaceName -Content - -Description -InputEntityType -Kind -QueryDefinitionQuery - -Title [-Id ] [-SubscriptionId ] - [-EntitiesFilter ] [-RequiredInputFieldsSet ] - [-TemplateName ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] - [] + -Description -InputEntityType -Kind -QueryDefinitionQuery -Title + [-Id ] [-SubscriptionId ] [-EntitiesFilter ] + [-RequiredInputFieldsSet ] [-TemplateName ] [-DefaultProfile ] [-AsJob] [-NoWait] + [-Confirm] [-WhatIf] [] ``` ## DESCRIPTION @@ -115,10 +114,10 @@ Accept wildcard characters: False ``` ### -EntitiesFilter -To construct, see NOTES section for ENTITIESFILTER properties and create a hash table. + ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityEntityQueriesPropertiesEntitiesFilter +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ActivityEntityQueriesPropertiesEntitiesFilter Parameter Sets: (All) Aliases: @@ -135,7 +134,7 @@ The Id of the Entity Query. ```yaml Type: System.String Parameter Sets: (All) -Aliases: +Aliases: EntityQueryId Required: False Position: Named @@ -148,7 +147,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType +Type: System.String Parameter Sets: (All) Aliases: @@ -163,7 +162,7 @@ Accept wildcard characters: False Kind of the the Entity Query ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityQueryKind +Type: System.String Parameter Sets: (All) Aliases: @@ -334,7 +333,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CustomEntityQuery +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.CustomEntityQuery ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelIncident.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelIncident.md index 74611f758884..2b306f17fcd1 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelIncident.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelIncident.md @@ -8,31 +8,36 @@ schema: 2.0.0 # New-AzSentinelIncident ## SYNOPSIS -Creates or updates the incident. +Create the incident. ## SYNTAX ### CreateExpanded (Default) ``` New-AzSentinelIncident -ResourceGroupName -WorkspaceName [-Id ] - [-SubscriptionId ] [-Classification ] [-ClassificationComment ] - [-ClassificationReason ] [-Description ] - [-FirstActivityTimeUtc ] [-Label ] [-LastActivityTimeUtc ] - [-OwnerAssignedTo ] [-OwnerEmail ] [-OwnerObjectId ] - [-OwnerUserPrincipalName ] [-ProviderIncidentId ] [-ProviderName ] - [-Severity ] [-Status ] [-Title ] [-DefaultProfile ] - [-Confirm] [-WhatIf] [] + [-SubscriptionId ] [-Classification ] [-ClassificationComment ] + [-ClassificationReason ] [-Description ] [-FirstActivityTimeUtc ] + [-Label ] [-LastActivityTimeUtc ] [-OwnerAssignedTo ] + [-OwnerEmail ] [-OwnerObjectId ] [-OwnerUserPrincipalName ] + [-ProviderIncidentId ] [-ProviderName ] [-Severity ] [-Status ] + [-Title ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` -### Create +### CreateViaJsonFilePath ``` -New-AzSentinelIncident -ResourceGroupName -WorkspaceName -Incident +New-AzSentinelIncident -ResourceGroupName -WorkspaceName -JsonFilePath [-Id ] [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` +### CreateViaJsonString +``` +New-AzSentinelIncident -ResourceGroupName -WorkspaceName -JsonString [-Id ] + [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + ## DESCRIPTION -Creates or updates the incident. +Create the incident. ## EXAMPLES @@ -60,7 +65,7 @@ This command creates an Incident. The reason the incident was closed ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentClassification +Type: System.String Parameter Sets: CreateExpanded Aliases: @@ -90,7 +95,7 @@ Accept wildcard characters: False The classification reason the incident was closed with ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentClassificationReason +Type: System.String Parameter Sets: CreateExpanded Aliases: @@ -162,28 +167,41 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -Incident -Represents an incident in Azure Security Insights. -To construct, see NOTES section for INCIDENT properties and create a hash table. +### -JsonFilePath +Path of Json file supplied to the Create operation + +```yaml +Type: System.String +Parameter Sets: CreateViaJsonFilePath +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -JsonString +Json string supplied to the Create operation ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncident -Parameter Sets: Create +Type: System.String +Parameter Sets: CreateViaJsonString Aliases: Required: True Position: Named Default value: None -Accept pipeline input: True (ByValue) +Accept pipeline input: False Accept wildcard characters: False ``` ### -Label List of labels relevant to this incident -To construct, see NOTES section for LABEL properties and create a hash table. ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentLabel[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IIncidentLabel[] Parameter Sets: CreateExpanded Aliases: @@ -319,7 +337,7 @@ Accept wildcard characters: False The severity of the incident ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentSeverity +Type: System.String Parameter Sets: CreateExpanded Aliases: @@ -334,7 +352,7 @@ Accept wildcard characters: False The status of the incident ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentStatus +Type: System.String Parameter Sets: CreateExpanded Aliases: @@ -426,11 +444,9 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## INPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncident - ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncident +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IIncident ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelIncidentComment.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelIncidentComment.md index f665c8c1be9a..e3e460d77226 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelIncidentComment.md @@ -8,7 +8,7 @@ schema: 2.0.0 # New-AzSentinelIncidentComment ## SYNOPSIS -Creates or updates the incident comment. +Create the incident comment. ## SYNTAX @@ -19,15 +19,28 @@ New-AzSentinelIncidentComment -IncidentId -ResourceGroupName - [-WhatIf] [] ``` -### Create +### CreateViaIdentityIncidentExpanded +``` +New-AzSentinelIncidentComment -IncidentInputObject [-Id ] + [-Message ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +### CreateViaJsonFilePath ``` New-AzSentinelIncidentComment -IncidentId -ResourceGroupName -WorkspaceName - -IncidentComment [-Id ] [-SubscriptionId ] [-DefaultProfile ] - [-Confirm] [-WhatIf] [] + -JsonFilePath [-Id ] [-SubscriptionId ] [-DefaultProfile ] [-Confirm] + [-WhatIf] [] +``` + +### CreateViaJsonString +``` +New-AzSentinelIncidentComment -IncidentId -ResourceGroupName -WorkspaceName + -JsonString [-Id ] [-SubscriptionId ] [-DefaultProfile ] [-Confirm] + [-WhatIf] [] ``` ## DESCRIPTION -Creates or updates the incident comment. +Create the incident comment. ## EXAMPLES @@ -71,13 +84,27 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -IncidentComment -Represents an incident comment -To construct, see NOTES section for INCIDENTCOMMENT properties and create a hash table. +### -IncidentId +Incident ID ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentComment -Parameter Sets: Create +Type: System.String +Parameter Sets: CreateExpanded, CreateViaJsonFilePath, CreateViaJsonString +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentInputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: CreateViaIdentityIncidentExpanded Aliases: Required: True @@ -87,12 +114,27 @@ Accept pipeline input: True (ByValue) Accept wildcard characters: False ``` -### -IncidentId -Incident ID +### -JsonFilePath +Path of Json file supplied to the Create operation ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateViaJsonFilePath +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -JsonString +Json string supplied to the Create operation + +```yaml +Type: System.String +Parameter Sets: CreateViaJsonString Aliases: Required: True @@ -107,7 +149,7 @@ The comment message ```yaml Type: System.String -Parameter Sets: CreateExpanded +Parameter Sets: CreateExpanded, CreateViaIdentityIncidentExpanded Aliases: Required: False @@ -123,7 +165,7 @@ The name is case insensitive. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateExpanded, CreateViaJsonFilePath, CreateViaJsonString Aliases: Required: True @@ -138,7 +180,7 @@ The ID of the target subscription. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateExpanded, CreateViaJsonFilePath, CreateViaJsonString Aliases: Required: False @@ -153,7 +195,7 @@ The name of the workspace. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateExpanded, CreateViaJsonFilePath, CreateViaJsonString Aliases: Required: True @@ -199,11 +241,11 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## INPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentComment +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentComment +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IIncidentComment ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelIncidentRelation.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelIncidentRelation.md index 6ce8de0899bd..c7aba42af1cc 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelIncidentRelation.md @@ -8,7 +8,7 @@ schema: 2.0.0 # New-AzSentinelIncidentRelation ## SYNOPSIS -Creates or updates the incident relation. +Create the incident relation. ## SYNTAX @@ -19,15 +19,28 @@ New-AzSentinelIncidentRelation -IncidentId -ResourceGroupName [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` -### Create +### CreateViaIdentityIncidentExpanded +``` +New-AzSentinelIncidentRelation -IncidentInputObject [-RelationName ] + [-RelatedResourceId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +### CreateViaJsonFilePath ``` New-AzSentinelIncidentRelation -IncidentId -ResourceGroupName -WorkspaceName - -Relation [-RelationName ] [-SubscriptionId ] [-DefaultProfile ] + -JsonFilePath [-RelationName ] [-SubscriptionId ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + +### CreateViaJsonString +``` +New-AzSentinelIncidentRelation -IncidentId -ResourceGroupName -WorkspaceName + -JsonString [-RelationName ] [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` ## DESCRIPTION -Creates or updates the incident relation. +Create the incident relation. ## EXAMPLES @@ -69,7 +82,7 @@ Incident ID ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateExpanded, CreateViaJsonFilePath, CreateViaJsonString Aliases: Required: True @@ -79,34 +92,63 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -RelatedResourceId -The resource ID of the related resource +### -IncidentInputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: CreateViaIdentityIncidentExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -JsonFilePath +Path of Json file supplied to the Create operation ```yaml Type: System.String -Parameter Sets: CreateExpanded +Parameter Sets: CreateViaJsonFilePath Aliases: -Required: False +Required: True Position: Named Default value: None Accept pipeline input: False Accept wildcard characters: False ``` -### -Relation -Represents a relation between two resources -To construct, see NOTES section for RELATION properties and create a hash table. +### -JsonString +Json string supplied to the Create operation ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation -Parameter Sets: Create +Type: System.String +Parameter Sets: CreateViaJsonString Aliases: Required: True Position: Named Default value: None -Accept pipeline input: True (ByValue) +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelatedResourceId +The resource ID of the related resource + +```yaml +Type: System.String +Parameter Sets: CreateExpanded, CreateViaIdentityIncidentExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False Accept wildcard characters: False ``` @@ -131,7 +173,7 @@ The name is case insensitive. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateExpanded, CreateViaJsonFilePath, CreateViaJsonString Aliases: Required: True @@ -146,7 +188,7 @@ The ID of the target subscription. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateExpanded, CreateViaJsonFilePath, CreateViaJsonString Aliases: Required: False @@ -161,7 +203,7 @@ The name of the workspace. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateExpanded, CreateViaJsonFilePath, CreateViaJsonString Aliases: Required: True @@ -207,11 +249,11 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## INPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IRelation ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelIncidentTeam.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelIncidentTeam.md index f2acc06c0e9d..8d779411015f 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelIncidentTeam.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelIncidentTeam.md @@ -8,7 +8,7 @@ schema: 2.0.0 # New-AzSentinelIncidentTeam ## SYNOPSIS -Creates a Microsoft team to investigate the incident by sharing information and insights between participants. +Create a Microsoft team to investigate the incident by sharing information and insights between participants. ## SYNTAX @@ -19,15 +19,22 @@ New-AzSentinelIncidentTeam -IncidentId -ResourceGroupName -Wor [-TeamDescription ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` -### Create +### CreateViaJsonFilePath ``` New-AzSentinelIncidentTeam -IncidentId -ResourceGroupName -WorkspaceName - -TeamProperty [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + -JsonFilePath [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +### CreateViaJsonString +``` +New-AzSentinelIncidentTeam -IncidentId -ResourceGroupName -WorkspaceName + -JsonString [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` ## DESCRIPTION -Creates a Microsoft team to investigate the incident by sharing information and insights between participants. +Create a Microsoft team to investigate the incident by sharing information and insights between participants. ## EXAMPLES @@ -41,7 +48,7 @@ Creates a Microsoft team to investigate the incident by sharing information and Description : Name : Incident : NewIncident3 PrimaryChannelUrl : https://teams.microsoft.com/l/team/19:vYoGjeGlZmTEDmu0gTbrk9T_eDS4pKIkEU7UuM1IyZk1%40thread.tacv2/conversations?groupId=3c637cc5-caf1-46c7-93ac-069c6 - 4b05395&tenantId=8f21ced5-2eff-4f8d-aff1-4dbb4cee8e3d + 4b05395&tenantId=00001111-aaaa-2222-bbbb-3333cccc4444 TeamCreationTimeUtc : 2/4/2022 3:02:03 PM TeamId : 3c637cc5-caf1-46c7-93ac-069c64b05395 ``` @@ -96,6 +103,36 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -JsonFilePath +Path of Json file supplied to the Create operation + +```yaml +Type: System.String +Parameter Sets: CreateViaJsonFilePath +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -JsonString +Json string supplied to the Create operation + +```yaml +Type: System.String +Parameter Sets: CreateViaJsonString +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -MemberId List of member IDs to add to the team @@ -172,22 +209,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -TeamProperty -Describes team properties -To construct, see NOTES section for TEAMPROPERTY properties and create a hash table. - -```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ITeamProperties -Parameter Sets: Create -Aliases: - -Required: True -Position: Named -Default value: None -Accept pipeline input: True (ByValue) -Accept wildcard characters: False -``` - ### -WorkspaceName The name of the workspace. @@ -239,11 +260,9 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## INPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ITeamProperties - ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ITeamInformation +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ITeamInformation ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelOnboardingState.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelOnboardingState.md index 25047a8fced7..71487c276adc 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelOnboardingState.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/New-AzSentinelOnboardingState.md @@ -19,11 +19,18 @@ New-AzSentinelOnboardingState -Name -ResourceGroupName -Worksp [] ``` -### Create +### CreateViaJsonFilePath ``` New-AzSentinelOnboardingState -Name -ResourceGroupName -WorkspaceName - -SentinelOnboardingStateParameter [-SubscriptionId ] - [-DefaultProfile ] [-Confirm] [-WhatIf] [] + -JsonFilePath [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +### CreateViaJsonString +``` +New-AzSentinelOnboardingState -Name -ResourceGroupName -WorkspaceName + -JsonString [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] ``` ## DESCRIPTION @@ -71,14 +78,13 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -Name -The Sentinel onboarding state name. -Supports - default +### -JsonFilePath +Path of Json file supplied to the Create operation ```yaml Type: System.String -Parameter Sets: (All) -Aliases: SentinelOnboardingStateName +Parameter Sets: CreateViaJsonFilePath +Aliases: Required: True Position: Named @@ -87,13 +93,12 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -ResourceGroupName -The name of the resource group. -The name is case insensitive. +### -JsonString +Json string supplied to the Create operation ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: CreateViaJsonString Aliases: Required: True @@ -103,19 +108,35 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -SentinelOnboardingStateParameter -Sentinel onboarding state -To construct, see NOTES section for SENTINELONBOARDINGSTATEPARAMETER properties and create a hash table. +### -Name +The Sentinel onboarding state name. +Supports - default ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISentinelOnboardingState -Parameter Sets: Create +Type: System.String +Parameter Sets: (All) +Aliases: SentinelOnboardingStateName + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) Aliases: Required: True Position: Named Default value: None -Accept pipeline input: True (ByValue) +Accept pipeline input: False Accept wildcard characters: False ``` @@ -185,11 +206,9 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## INPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISentinelOnboardingState - ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISentinelOnboardingState +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISentinelOnboardingState ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelAlertRule.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelAlertRule.md index f29ccd58c5b0..34b487d41bde 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelAlertRule.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelAlertRule.md @@ -56,7 +56,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelAlertRuleAction.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelAlertRuleAction.md index 4615c1f76cd6..daae041c9914 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelAlertRuleAction.md @@ -25,6 +25,12 @@ Remove-AzSentinelAlertRuleAction -InputObject [-Defa [-PassThru] [-Confirm] [-WhatIf] [] ``` +### DeleteViaIdentityAlertRule +``` +Remove-AzSentinelAlertRuleAction -AlertRuleInputObject -Id + [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + ## DESCRIPTION Delete the action of alert rule. @@ -39,6 +45,21 @@ This command removes an alert rule action. ## PARAMETERS +### -AlertRuleInputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentityAlertRule +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + ### -DefaultProfile The DefaultProfile parameter is not functional. Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription. @@ -60,7 +81,7 @@ Action ID ```yaml Type: System.String -Parameter Sets: Delete +Parameter Sets: Delete, DeleteViaIdentityAlertRule Aliases: ActionId Required: True @@ -72,7 +93,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelAutomationRule.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelAutomationRule.md index c540df572150..0d0a305e1bf8 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelAutomationRule.md @@ -71,7 +71,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelBookmark.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelBookmark.md index 292b9698ffa6..fefe86825388 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelBookmark.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelBookmark.md @@ -71,7 +71,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelBookmarkRelation.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelBookmarkRelation.md index de9e1b0c6da2..1b8521c19503 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelBookmarkRelation.md @@ -25,6 +25,12 @@ Remove-AzSentinelBookmarkRelation -InputObject [-Def [-PassThru] [-Confirm] [-WhatIf] [] ``` +### DeleteViaIdentityBookmark +``` +Remove-AzSentinelBookmarkRelation -BookmarkInputObject -RelationName + [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + ## DESCRIPTION Delete the bookmark relation. @@ -54,6 +60,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -BookmarkInputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentityBookmark +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + ### -DefaultProfile The DefaultProfile parameter is not functional. Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription. @@ -72,7 +93,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -106,7 +126,7 @@ Relation Name ```yaml Type: System.String -Parameter Sets: Delete +Parameter Sets: Delete, DeleteViaIdentityBookmark Aliases: Required: True diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelDataConnector.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelDataConnector.md index 815b44761e24..7c62d1f952b3 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelDataConnector.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelDataConnector.md @@ -71,7 +71,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelEntityQuery.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelEntityQuery.md index ff92f248116d..8179a0454b72 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelEntityQuery.md @@ -79,7 +79,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelIncident.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelIncident.md index 1372957fc71c..03d311e765e0 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelIncident.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelIncident.md @@ -78,7 +78,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelIncidentComment.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelIncidentComment.md index 93eef1526029..cd5a0bf67b15 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelIncidentComment.md @@ -25,6 +25,12 @@ Remove-AzSentinelIncidentComment -InputObject [-Defa [-PassThru] [-Confirm] [-WhatIf] [] ``` +### DeleteViaIdentityIncident +``` +Remove-AzSentinelIncidentComment -Id -IncidentInputObject + [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + ## DESCRIPTION Delete the incident comment. @@ -60,7 +66,7 @@ Incident comment ID ```yaml Type: System.String -Parameter Sets: Delete +Parameter Sets: Delete, DeleteViaIdentityIncident Aliases: IncidentCommentId Required: True @@ -85,9 +91,23 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -IncidentInputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentityIncident +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelIncidentRelation.md index 8237b55ba92e..2ca8c8ac579d 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelIncidentRelation.md @@ -25,6 +25,12 @@ Remove-AzSentinelIncidentRelation -InputObject [-Def [-PassThru] [-Confirm] [-WhatIf] [] ``` +### DeleteViaIdentityIncident +``` +Remove-AzSentinelIncidentRelation -IncidentInputObject -RelationName + [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + ## DESCRIPTION Delete the incident relation. @@ -70,9 +76,23 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -IncidentInputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentityIncident +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -106,7 +126,7 @@ Relation Name ```yaml Type: System.String -Parameter Sets: Delete +Parameter Sets: Delete, DeleteViaIdentityIncident Aliases: Required: True diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelOnboardingState.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelOnboardingState.md index 2180f889ef84..67a1ae95f897 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelOnboardingState.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Remove-AzSentinelOnboardingState.md @@ -56,7 +56,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Test-AzSentinelDataConnectorCheckRequirement.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Test-AzSentinelDataConnectorCheckRequirement.md index 887b3cd9beef..433128cc68b7 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Test-AzSentinelDataConnectorCheckRequirement.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Test-AzSentinelDataConnectorCheckRequirement.md @@ -15,15 +15,15 @@ Get requirements state for a data connector type. ### AADTenant (Default) ``` Test-AzSentinelDataConnectorCheckRequirement -ResourceGroupName -WorkspaceName - -Kind [-SubscriptionId ] [-TenantId ] [-DefaultProfile ] - [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + -Kind [-SubscriptionId ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### AzureSecurityCenter ``` Test-AzSentinelDataConnectorCheckRequirement -ResourceGroupName -WorkspaceName - -ASCSubscriptionId -Kind [-SubscriptionId ] [-DefaultProfile ] - [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + -ASCSubscriptionId -Kind [-SubscriptionId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ## DESCRIPTION @@ -92,7 +92,7 @@ Accept wildcard characters: False Kind of the the data connection ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind +Type: System.String Parameter Sets: (All) Aliases: @@ -218,7 +218,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnectorsCheckRequirements +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.DataConnectorsCheckRequirements ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelAlertRule.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelAlertRule.md index a1fab810857d..d35bd9609bbb 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelAlertRule.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelAlertRule.md @@ -18,13 +18,13 @@ Update-AzSentinelAlertRule -ResourceGroupName -RuleId -Workspa [-SubscriptionId ] [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] [-CreateIncident] [-Description ] [-Disabled] [-DisplayName ] [-Enabled] - [-EntityMapping ] [-EventGroupingSettingAggregationKind ] - [-GroupByAlertDetail ] [-GroupByCustomDetail ] - [-GroupByEntity ] [-GroupingConfigurationEnabled] [-LookbackDuration ] - [-MatchingMethod ] [-Query ] [-QueryFrequency ] [-QueryPeriod ] - [-ReOpenClosedIncident] [-Severity ] [-SuppressionDuration ] [-SuppressionEnabled] - [-Tactic ] [-TriggerOperator ] [-TriggerThreshold ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + [-EntityMapping ] [-EventGroupingSettingAggregationKind ] + [-GroupByAlertDetail ] [-GroupByCustomDetail ] [-GroupByEntity ] + [-GroupingConfigurationEnabled] [-LookbackDuration ] [-MatchingMethod ] [-Query ] + [-QueryFrequency ] [-QueryPeriod ] [-ReOpenClosedIncident] [-Severity ] + [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] [-TriggerOperator ] + [-TriggerThreshold ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] ``` ### UpdateFusionMLTI @@ -39,8 +39,8 @@ Update-AzSentinelAlertRule -ResourceGroupName -RuleId -Workspa Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName -MicrosoftSecurityIncidentCreation [-SubscriptionId ] [-AlertRuleTemplateName ] [-Description ] [-Disabled] [-DisplayNamesExcludeFilter ] [-DisplayNamesFilter ] - [-Enabled] [-ProductFilter ] [-SeveritiesFilter ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + [-Enabled] [-ProductFilter ] [-SeveritiesFilter ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateNRT @@ -49,10 +49,10 @@ Update-AzSentinelAlertRule -ResourceGroupName -RuleId -Workspa [-SubscriptionId ] [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] [-CreateIncident] [-Description ] [-Disabled] [-DisplayName ] [-Enabled] - [-EntityMapping ] [-GroupByAlertDetail ] [-GroupByCustomDetail ] - [-GroupByEntity ] [-GroupingConfigurationEnabled] [-LookbackDuration ] - [-MatchingMethod ] [-Query ] [-ReOpenClosedIncident] [-Severity ] - [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] [-DefaultProfile ] + [-EntityMapping ] [-GroupByAlertDetail ] [-GroupByCustomDetail ] + [-GroupByEntity ] [-GroupingConfigurationEnabled] [-LookbackDuration ] + [-MatchingMethod ] [-Query ] [-ReOpenClosedIncident] [-Severity ] + [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -67,9 +67,8 @@ Update-AzSentinelAlertRule -InputObject -FusionMLorT ``` Update-AzSentinelAlertRule -InputObject -MicrosoftSecurityIncidentCreation [-AlertRuleTemplateName ] [-Description ] [-Disabled] [-DisplayNamesExcludeFilter ] - [-DisplayNamesFilter ] [-Enabled] [-ProductFilter ] - [-SeveritiesFilter ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] - [] + [-DisplayNamesFilter ] [-Enabled] [-ProductFilter ] [-SeveritiesFilter ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityNRT @@ -77,10 +76,10 @@ Update-AzSentinelAlertRule -InputObject -MicrosoftSe Update-AzSentinelAlertRule -InputObject -NRT [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] [-CreateIncident] [-Description ] [-Disabled] - [-DisplayName ] [-Enabled] [-EntityMapping ] [-GroupByAlertDetail ] - [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] + [-DisplayName ] [-Enabled] [-EntityMapping ] [-GroupByAlertDetail ] + [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] [-LookbackDuration ] [-MatchingMethod ] [-Query ] [-ReOpenClosedIncident] - [-Severity ] [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] + [-Severity ] [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -90,13 +89,12 @@ Update-AzSentinelAlertRule -InputObject -Scheduled [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] [-CreateIncident] [-Description ] [-Disabled] [-DisplayName ] [-Enabled] [-EntityMapping ] - [-EventGroupingSettingAggregationKind ] [-GroupByAlertDetail ] - [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] + [-EventGroupingSettingAggregationKind ] [-GroupByAlertDetail ] + [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] [-LookbackDuration ] [-MatchingMethod ] [-Query ] [-QueryFrequency ] - [-QueryPeriod ] [-ReOpenClosedIncident] [-Severity ] - [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] - [-TriggerOperator ] [-TriggerThreshold ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + [-QueryPeriod ] [-ReOpenClosedIncident] [-Severity ] [-SuppressionDuration ] + [-SuppressionEnabled] [-Tactic ] [-TriggerOperator ] [-TriggerThreshold ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ## DESCRIPTION @@ -325,10 +323,9 @@ Accept wildcard characters: False ### -EntityMapping 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' -To construct, see NOTES section for ENTITYMAPPING properties and create a hash table. ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.EntityMapping[] Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled Aliases: @@ -343,7 +340,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind +Type: System.String Parameter Sets: UpdateScheduled, UpdateViaIdentityUpdateScheduled Aliases: @@ -373,7 +370,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail[] +Type: System.String[] Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled Aliases: @@ -403,7 +400,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[] +Type: System.String[] Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled Aliases: @@ -524,7 +521,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName +Type: System.String Parameter Sets: UpdateMicrosoftSecurityIncidentCreation, UpdateViaIdentityMicrosoftSecurityIncidentCreation Aliases: @@ -645,7 +642,7 @@ Accept wildcard characters: False High, Medium, Low, Informational ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity[] +Type: System.String[] Parameter Sets: UpdateMicrosoftSecurityIncidentCreation, UpdateViaIdentityMicrosoftSecurityIncidentCreation Aliases: @@ -660,7 +657,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity +Type: System.String Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled Aliases: @@ -721,7 +718,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic +Type: System.String[] Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled Aliases: @@ -736,7 +733,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator +Type: System.String Parameter Sets: UpdateScheduled, UpdateViaIdentityUpdateScheduled Aliases: @@ -817,7 +814,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AlertRule +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.AlertRule ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelAlertRuleAction.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelAlertRuleAction.md index 7bbb96688722..34b3ee65ba05 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelAlertRuleAction.md @@ -8,7 +8,7 @@ schema: 2.0.0 # Update-AzSentinelAlertRuleAction ## SYNOPSIS -Creates or updates the action of alert rule. +Update the action of alert rule. ## SYNTAX @@ -19,14 +19,35 @@ Update-AzSentinelAlertRuleAction -Id -ResourceGroupName -RuleI [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` +### UpdateViaIdentityAlertRuleExpanded +``` +Update-AzSentinelAlertRuleAction -AlertRuleInputObject -Id + [-LogicAppResourceId ] [-TriggerUri ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + ### UpdateViaIdentityExpanded ``` Update-AzSentinelAlertRuleAction -InputObject [-LogicAppResourceId ] [-TriggerUri ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` +### UpdateViaJsonFilePath +``` +Update-AzSentinelAlertRuleAction -Id -ResourceGroupName -RuleId + -WorkspaceName -JsonFilePath [-SubscriptionId ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + +### UpdateViaJsonString +``` +Update-AzSentinelAlertRuleAction -Id -ResourceGroupName -RuleId + -WorkspaceName -JsonString [-SubscriptionId ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + ## DESCRIPTION -Creates or updates the action of alert rule. +Update the action of alert rule. ## EXAMPLES @@ -41,6 +62,21 @@ This command updates an alert rule action ## PARAMETERS +### -AlertRuleInputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityAlertRuleExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + ### -DefaultProfile The DefaultProfile parameter is not functional. Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription. @@ -62,7 +98,7 @@ Action ID ```yaml Type: System.String -Parameter Sets: UpdateExpanded +Parameter Sets: UpdateExpanded, UpdateViaIdentityAlertRuleExpanded, UpdateViaJsonFilePath, UpdateViaJsonString Aliases: ActionId Required: True @@ -74,7 +110,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -88,12 +123,42 @@ Accept pipeline input: True (ByValue) Accept wildcard characters: False ``` +### -JsonFilePath +Path of Json file supplied to the Update operation + +```yaml +Type: System.String +Parameter Sets: UpdateViaJsonFilePath +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -JsonString +Json string supplied to the Update operation + +```yaml +Type: System.String +Parameter Sets: UpdateViaJsonString +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -LogicAppResourceId Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: UpdateExpanded, UpdateViaIdentityAlertRuleExpanded, UpdateViaIdentityExpanded Aliases: Required: False @@ -109,7 +174,7 @@ The name is case insensitive. ```yaml Type: System.String -Parameter Sets: UpdateExpanded +Parameter Sets: UpdateExpanded, UpdateViaJsonFilePath, UpdateViaJsonString Aliases: Required: True @@ -124,7 +189,7 @@ Alert rule ID ```yaml Type: System.String -Parameter Sets: UpdateExpanded +Parameter Sets: UpdateExpanded, UpdateViaJsonFilePath, UpdateViaJsonString Aliases: Required: True @@ -139,7 +204,7 @@ The ID of the target subscription. ```yaml Type: System.String -Parameter Sets: UpdateExpanded +Parameter Sets: UpdateExpanded, UpdateViaJsonFilePath, UpdateViaJsonString Aliases: Required: False @@ -154,7 +219,7 @@ Logic App Callback URL for this specific workflow. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: UpdateExpanded, UpdateViaIdentityAlertRuleExpanded, UpdateViaIdentityExpanded Aliases: Required: False @@ -169,7 +234,7 @@ The name of the workspace. ```yaml Type: System.String -Parameter Sets: UpdateExpanded +Parameter Sets: UpdateExpanded, UpdateViaJsonFilePath, UpdateViaJsonString Aliases: Required: True @@ -219,7 +284,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IActionResponse +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IActionResponse ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelAutomationRule.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelAutomationRule.md index 1c3b24dffb26..76b73ca8be3f 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelAutomationRule.md @@ -8,7 +8,7 @@ schema: 2.0.0 # Update-AzSentinelAutomationRule ## SYNOPSIS -Creates or updates the automation rule. +Update the automation rule. ## SYNTAX @@ -29,14 +29,14 @@ Update-AzSentinelAutomationRule -InputObject [-Actio ``` ## DESCRIPTION -Creates or updates the automation rule. +Update the automation rule. ## EXAMPLES ### Example 1: Updates an automation rule ```powershell $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myResourceGroup" -Name "Reset-AADPassword" - $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.AutomationRuleRunPlaybookAction]::new() $automationRuleAction.Order = 1 $automationRuleAction.ActionType = "RunPlaybook" $automationRuleAction.ActionConfigurationLogicAppResourceId = ($LogicAppResourceId.Id) @@ -50,10 +50,9 @@ This command updates an automation rule ### -Action The actions to execute when the automation rule is triggered -To construct, see NOTES section for ACTION properties and create a hash table. ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRuleAction[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IAutomationRuleAction[] Parameter Sets: (All) Aliases: @@ -112,7 +111,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -176,7 +174,7 @@ Accept wildcard characters: False The conditions to evaluate to determine if the automation rule should be triggered on a given object ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRuleCondition[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IAutomationRuleCondition[] Parameter Sets: (All) Aliases: @@ -272,7 +270,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRule +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IAutomationRule ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelBookmark.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelBookmark.md index e87fa3e8c907..7dfd9e2e13d3 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelBookmark.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelBookmark.md @@ -8,7 +8,7 @@ schema: 2.0.0 # Update-AzSentinelBookmark ## SYNOPSIS -Creates or updates the bookmark. +Update the bookmark. ## SYNTAX @@ -16,22 +16,24 @@ Creates or updates the bookmark. ``` Update-AzSentinelBookmark -Id -ResourceGroupName -WorkspaceName [-SubscriptionId ] [-DisplayName ] [-EventTime ] [-IncidentInfoIncidentId ] - [-IncidentInfoRelationName ] [-IncidentInfoSeverity ] [-IncidentInfoTitle ] + [-IncidentInfoRelationName ] [-IncidentInfoSeverity ] [-IncidentInfoTitle ] [-Label ] [-Note ] [-Query ] [-QueryEndTime ] [-QueryResult ] - [-QueryStartTime ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] + [-QueryStartTime ] [-UpdatedByEmail ] [-UpdatedByName ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityExpanded ``` Update-AzSentinelBookmark -InputObject [-DisplayName ] [-EventTime ] [-IncidentInfoIncidentId ] [-IncidentInfoRelationName ] - [-IncidentInfoSeverity ] [-IncidentInfoTitle ] [-Label ] [-Note ] + [-IncidentInfoSeverity ] [-IncidentInfoTitle ] [-Label ] [-Note ] [-Query ] [-QueryEndTime ] [-QueryResult ] [-QueryStartTime ] - [-DefaultProfile ] [-Confirm] [-WhatIf] [] + [-UpdatedByEmail ] [-UpdatedByName ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] ``` ## DESCRIPTION -Creates or updates the bookmark. +Update the bookmark. ## EXAMPLES @@ -141,7 +143,7 @@ Accept wildcard characters: False The severity of the incident ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentSeverity +Type: System.String Parameter Sets: (All) Aliases: @@ -169,7 +171,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -304,6 +305,36 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -UpdatedByEmail +The email of the user. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UpdatedByName +The name of the user. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -WorkspaceName The name of the workspace. @@ -359,7 +390,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IBookmark ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelBookmarkRelation.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelBookmarkRelation.md index c498f9622ced..9b3ff752b9fb 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelBookmarkRelation.md @@ -8,7 +8,7 @@ schema: 2.0.0 # Update-AzSentinelBookmarkRelation ## SYNOPSIS -Creates the bookmark relation. +Update the bookmark relation. ## SYNTAX @@ -19,6 +19,12 @@ Update-AzSentinelBookmarkRelation -BookmarkId -RelationName -R [-Confirm] [-WhatIf] [] ``` +### UpdateViaIdentityBookmarkExpanded +``` +Update-AzSentinelBookmarkRelation -BookmarkInputObject -RelationName + [-RelatedResourceId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + ### UpdateViaIdentityExpanded ``` Update-AzSentinelBookmarkRelation -InputObject [-RelatedResourceId ] @@ -26,7 +32,7 @@ Update-AzSentinelBookmarkRelation -InputObject [-Rel ``` ## DESCRIPTION -Creates the bookmark relation. +Update the bookmark relation. ## EXAMPLES @@ -54,6 +60,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -BookmarkInputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityBookmarkExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + ### -DefaultProfile The DefaultProfile parameter is not functional. Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription. @@ -72,7 +93,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -106,7 +126,7 @@ Relation Name ```yaml Type: System.String -Parameter Sets: UpdateExpanded +Parameter Sets: UpdateExpanded, UpdateViaIdentityBookmarkExpanded Aliases: Required: True @@ -202,7 +222,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IRelation ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelDataConnector.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelDataConnector.md index 64287e5bcf03..78fb9c4107f5 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelDataConnector.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelDataConnector.md @@ -123,9 +123,9 @@ Update-AzSentinelDataConnector -Id -ResourceGroupName -Workspa ``` Update-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName -APIRootURL -ThreatIntelligenceTaxii [-SubscriptionId ] [-CollectionId ] - [-FriendlyName ] [-Password ] [-PollingFrequency ] - [-TaxiiLookbackPeriod ] [-TenantId ] [-UserName ] [-WorkspaceId ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + [-FriendlyName ] [-Password ] [-PollingFrequency ] [-TaxiiLookbackPeriod ] + [-TenantId ] [-UserName ] [-WorkspaceId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityAADAATP @@ -237,7 +237,7 @@ Update-AzSentinelDataConnector -InputObject -ThreatI ### UpdateViaIdentityThreatIntelligenceTaxii ``` Update-AzSentinelDataConnector -InputObject -ThreatIntelligenceTaxii - [-CollectionId ] [-FriendlyName ] [-Password ] [-PollingFrequency ] + [-CollectionId ] [-FriendlyName ] [-Password ] [-PollingFrequency ] [-TaxiiLookbackPeriod ] [-TenantId ] [-UserName ] [-WorkspaceId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -654,8 +654,7 @@ Accept wildcard characters: False ### -InputObject [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI', Mandatory, ValueFromPipeline)] Identity Parameter - -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -820,10 +819,10 @@ Accept wildcard characters: False ``` ### -PermissionCustom -To construct, see NOTES section for PERMISSIONCUSTOM properties and create a hash table. + ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsCustomsItem[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.PermissionsCustomsItem[] Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI Aliases: @@ -835,10 +834,10 @@ Accept wildcard characters: False ``` ### -PermissionResourceProvider -To construct, see NOTES section for PERMISSIONRESOURCEPROVIDER properties and create a hash table. + ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsResourceProviderItem[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.PermissionsResourceProviderItem[] Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI Aliases: @@ -853,7 +852,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency +Type: System.String Parameter Sets: UpdateThreatIntelligenceTaxii, UpdateViaIdentityThreatIntelligenceTaxii Aliases: @@ -1004,10 +1003,10 @@ Accept wildcard characters: False ``` ### -UiConfigConnectivityCriterion -To construct, see NOTES section for UICONFIGCONNECTIVITYCRITERION properties and create a hash table. + ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ConnectivityCriteria[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ConnectivityCriteria[] Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI Aliases: @@ -1034,10 +1033,10 @@ Accept wildcard characters: False ``` ### -UiConfigDataType -To construct, see NOTES section for UICONFIGDATATYPE properties and create a hash table. + ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.LastDataReceivedDataType[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.LastDataReceivedDataType[] Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI Aliases: @@ -1079,10 +1078,10 @@ Accept wildcard characters: False ``` ### -UiConfigGraphQuery -To construct, see NOTES section for UICONFIGGRAPHQUERY properties and create a hash table. + ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.GraphQueries[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.GraphQueries[] Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI Aliases: @@ -1094,10 +1093,10 @@ Accept wildcard characters: False ``` ### -UiConfigInstructionStep -To construct, see NOTES section for UICONFIGINSTRUCTIONSTEP properties and create a hash table. + ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.InstructionSteps[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.InstructionSteps[] Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI Aliases: @@ -1124,10 +1123,10 @@ Accept wildcard characters: False ``` ### -UiConfigSampleQuery -To construct, see NOTES section for UICONFIGSAMPLEQUERY properties and create a hash table. + ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.SampleQueries[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.SampleQueries[] Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI Aliases: @@ -1239,7 +1238,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnector +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.DataConnector ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelEntityQuery.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelEntityQuery.md index 0bb4de8459b4..49be0778628a 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelEntityQuery.md @@ -14,9 +14,9 @@ Updates the entity query. ### UpdateActivity (Default) ``` -Update-AzSentinelEntityQuery -EntityQueryId -ResourceGroupName -WorkspaceName +Update-AzSentinelEntityQuery -Id -ResourceGroupName -WorkspaceName [-SubscriptionId ] [-Content ] [-Description ] [-Disabled] [-Enabled] - [-EntitiesFilter ] [-InputEntityType ] + [-EntitiesFilter ] [-InputEntityType ] [-QueryDefinitionQuery ] [-RequiredInputFieldsSet ] [-TemplateName ] [-Title ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -25,7 +25,7 @@ Update-AzSentinelEntityQuery -EntityQueryId -ResourceGroupName ``` Update-AzSentinelEntityQuery -InputObject [-Content ] [-Description ] [-Disabled] [-Enabled] - [-EntitiesFilter ] [-InputEntityType ] + [-EntitiesFilter ] [-InputEntityType ] [-QueryDefinitionQuery ] [-RequiredInputFieldsSet ] [-TemplateName ] [-Title ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -135,10 +135,10 @@ Accept wildcard characters: False ``` ### -EntitiesFilter -To construct, see NOTES section for ENTITIESFILTER properties and create a hash table. + ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityEntityQueriesPropertiesEntitiesFilter +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ActivityEntityQueriesPropertiesEntitiesFilter Parameter Sets: (All) Aliases: @@ -149,13 +149,13 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -EntityQueryId +### -Id The Id of the Entity Query. ```yaml Type: System.String Parameter Sets: UpdateActivity -Aliases: +Aliases: EntityQueryId Required: True Position: Named @@ -168,7 +168,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType +Type: System.String Parameter Sets: (All) Aliases: @@ -357,7 +357,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CustomEntityQuery +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.CustomEntityQuery ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelIncident.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelIncident.md index 582ee85d7bfb..4323a82afd1f 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelIncident.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelIncident.md @@ -8,35 +8,34 @@ schema: 2.0.0 # Update-AzSentinelIncident ## SYNOPSIS -Creates or updates the incident. +Update the incident. ## SYNTAX ### UpdateExpanded (Default) ``` Update-AzSentinelIncident -Id -ResourceGroupName -WorkspaceName - [-SubscriptionId ] [-Classification ] [-ClassificationComment ] - [-ClassificationReason ] [-Description ] - [-FirstActivityTimeUtc ] [-Label ] [-LastActivityTimeUtc ] - [-OwnerAssignedTo ] [-OwnerEmail ] [-OwnerObjectId ] - [-OwnerUserPrincipalName ] [-ProviderIncidentId ] [-ProviderName ] - [-Severity ] [-Status ] [-Title ] [-DefaultProfile ] - [-Confirm] [-WhatIf] [] + [-SubscriptionId ] [-Classification ] [-ClassificationComment ] + [-ClassificationReason ] [-Description ] [-FirstActivityTimeUtc ] + [-Label ] [-LastActivityTimeUtc ] [-OwnerAssignedTo ] + [-OwnerEmail ] [-OwnerObjectId ] [-OwnerUserPrincipalName ] + [-ProviderIncidentId ] [-ProviderName ] [-Severity ] [-Status ] + [-Title ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityExpanded ``` -Update-AzSentinelIncident -InputObject [-Classification ] - [-ClassificationComment ] [-ClassificationReason ] - [-Description ] [-FirstActivityTimeUtc ] [-Label ] - [-LastActivityTimeUtc ] [-OwnerAssignedTo ] [-OwnerEmail ] - [-OwnerObjectId ] [-OwnerUserPrincipalName ] [-ProviderIncidentId ] - [-ProviderName ] [-Severity ] [-Status ] [-Title ] - [-DefaultProfile ] [-Confirm] [-WhatIf] [] +Update-AzSentinelIncident -InputObject [-Classification ] + [-ClassificationComment ] [-ClassificationReason ] [-Description ] + [-FirstActivityTimeUtc ] [-Label ] [-LastActivityTimeUtc ] + [-OwnerAssignedTo ] [-OwnerEmail ] [-OwnerObjectId ] + [-OwnerUserPrincipalName ] [-ProviderIncidentId ] [-ProviderName ] + [-Severity ] [-Status ] [-Title ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] ``` ## DESCRIPTION -Creates or updates the incident. +Update the incident. ## EXAMPLES @@ -78,7 +77,7 @@ Passing the original values from `$incident` ensures those fields are not reset. The reason the incident was closed ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentClassification +Type: System.String Parameter Sets: (All) Aliases: @@ -108,7 +107,7 @@ Accept wildcard characters: False The classification reason the incident was closed with ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentClassificationReason +Type: System.String Parameter Sets: (All) Aliases: @@ -182,7 +181,6 @@ Accept wildcard characters: False ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -198,10 +196,9 @@ Accept wildcard characters: False ### -Label List of labels relevant to this incident -To construct, see NOTES section for LABEL properties and create a hash table. ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentLabel[] +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IIncidentLabel[] Parameter Sets: (All) Aliases: @@ -337,7 +334,7 @@ Accept wildcard characters: False The severity of the incident ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentSeverity +Type: System.String Parameter Sets: (All) Aliases: @@ -352,7 +349,7 @@ Accept wildcard characters: False The status of the incident ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentStatus +Type: System.String Parameter Sets: (All) Aliases: @@ -448,7 +445,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncident +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IIncident ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelIncidentComment.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelIncidentComment.md index 4a0a856097f8..f997d8ce69d8 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelIncidentComment.md @@ -8,7 +8,7 @@ schema: 2.0.0 # Update-AzSentinelIncidentComment ## SYNOPSIS -Creates or updates the incident comment. +Update the incident comment. ## SYNTAX @@ -25,8 +25,14 @@ Update-AzSentinelIncidentComment -InputObject [-Mess [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` +### UpdateViaIdentityIncidentExpanded +``` +Update-AzSentinelIncidentComment -Id -IncidentInputObject + [-Message ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + ## DESCRIPTION -Creates or updates the incident comment. +Update the incident comment. ## EXAMPLES @@ -60,7 +66,7 @@ Incident comment ID ```yaml Type: System.String -Parameter Sets: UpdateExpanded +Parameter Sets: UpdateExpanded, UpdateViaIdentityIncidentExpanded Aliases: IncidentCommentId Required: True @@ -85,9 +91,23 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -IncidentInputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityIncidentExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -202,7 +222,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentComment +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IIncidentComment ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelIncidentRelation.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelIncidentRelation.md index 937c45e01c43..8d8fed1f9164 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelIncidentRelation.md @@ -8,7 +8,7 @@ schema: 2.0.0 # Update-AzSentinelIncidentRelation ## SYNOPSIS -Creates or updates the incident relation. +Update the incident relation. ## SYNTAX @@ -25,8 +25,14 @@ Update-AzSentinelIncidentRelation -InputObject [-Rel [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` +### UpdateViaIdentityIncidentExpanded +``` +Update-AzSentinelIncidentRelation -IncidentInputObject -RelationName + [-RelatedResourceId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + ## DESCRIPTION -Creates or updates the incident relation. +Update the incident relation. ## EXAMPLES @@ -71,9 +77,23 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -IncidentInputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityIncidentExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + ### -InputObject Identity Parameter -To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ```yaml Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity @@ -107,7 +127,7 @@ Relation Name ```yaml Type: System.String -Parameter Sets: UpdateExpanded +Parameter Sets: UpdateExpanded, UpdateViaIdentityIncidentExpanded Aliases: Required: True @@ -203,7 +223,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.IRelation ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelOnboardingState.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelOnboardingState.md new file mode 100644 index 000000000000..41e4e85791e0 --- /dev/null +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelOnboardingState.md @@ -0,0 +1,195 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://learn.microsoft.com/powershell/module/az.securityinsights/update-azsentinelonboardingstate +schema: 2.0.0 +--- + +# Update-AzSentinelOnboardingState + +## SYNOPSIS +Update Sentinel onboarding state + +## SYNTAX + +### UpdateExpanded (Default) +``` +Update-AzSentinelOnboardingState -Name -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-CustomerManagedKey] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityExpanded +``` +Update-AzSentinelOnboardingState -InputObject [-CustomerManagedKey] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Update Sentinel onboarding state + +## EXAMPLES + +### Example 1: Update Sentinel onboarding state +```powershell +Update-AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Name "default" +``` + +This command updates the onboarding state of Sentinel. + +## PARAMETERS + +### -CustomerManagedKey +Flag that indicates the status of the CMK setting + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The DefaultProfile parameter is not functional. +Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Name +The Sentinel onboarding state name. +Supports - default + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: SentinelOnboardingStateName + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISentinelOnboardingState + +## NOTES + +## RELATED LINKS + diff --git a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelSetting.md b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelSetting.md index 6e1acbe44b09..a6b312491c77 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelSetting.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/docs/Update-AzSentinelSetting.md @@ -21,7 +21,7 @@ Update-AzSentinelSetting -ResourceGroupName -WorkspaceName -En ### UpdateExpandedUeba ``` -Update-AzSentinelSetting -ResourceGroupName -WorkspaceName -DataSource +Update-AzSentinelSetting -ResourceGroupName -WorkspaceName -DataSource -SettingsName [-SubscriptionId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -34,7 +34,7 @@ Update-AzSentinelSetting -InputObject -Enabled -DataSource +Update-AzSentinelSetting -InputObject -DataSource [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -71,7 +71,7 @@ Accept wildcard characters: False ```yaml -Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.UebaDataSources[] +Type: System.String[] Parameter Sets: UpdateExpandedUeba, UpdateViaIdentityExpandedUeba Aliases: @@ -245,7 +245,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## OUTPUTS -### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Settings +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Settings ## NOTES diff --git a/src/SecurityInsights/SecurityInsights.Autorest/examples/Get-AzSentinelEntity.md b/src/SecurityInsights/SecurityInsights.Autorest/examples/Get-AzSentinelEntity.md index 2a46261b0721..62be07b70b68 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/examples/Get-AzSentinelEntity.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/examples/Get-AzSentinelEntity.md @@ -28,8 +28,8 @@ This command gets an Entity. ### Example 3: Get a Entity by object Id ```powershell - $Entitys = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" - $Entitys[0] | Get-AzSentinelEntity + $Entities = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + $Entities[0] | Get-AzSentinelEntity ``` ```output FriendlyName : WIN2019 diff --git a/src/SecurityInsights/SecurityInsights.Autorest/examples/Get-AzSentinelEntityInsight.md b/src/SecurityInsights/SecurityInsights.Autorest/examples/Get-AzSentinelEntityInsight.md index 2644a1248a4d..d07ac4553e71 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/examples/Get-AzSentinelEntityInsight.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/examples/Get-AzSentinelEntityInsight.md @@ -18,7 +18,7 @@ This command gets insights for an Entity for a given time range. ```powershell $startTime = (Get-Date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" $endTime = (Get-Date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" - $Entity = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "8d036a2d-f37d-e936-6cca-4e172687cb79" + $Entity = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "00001111-aaaa-2222-bbbb-3333cccc4444" $Entity | Get-AzSentinelEntityInsight -EndTime $endTime -StartTime $startTime ``` ```output diff --git a/src/SecurityInsights/SecurityInsights.Autorest/examples/New-AzSentinelAlertRule.md b/src/SecurityInsights/SecurityInsights.Autorest/examples/New-AzSentinelAlertRule.md index 9f96df72e7fc..3ca60ff1ecf5 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/examples/New-AzSentinelAlertRule.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/examples/New-AzSentinelAlertRule.md @@ -32,7 +32,7 @@ This command creates an Alert Rule of the MicrosoftSecurityIncidentCreation kind ### Example 5: Create a Scheduled Alert Rule ```powershell -New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind Scheduled -Enabled -DisplayName "Powershell Exection Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventId == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10 +New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind Scheduled -Enabled -DisplayName "Powershell Execution Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventID == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10 ``` This command creates an Alert Rule of the Scheduled kind. Please note that that query (parameter -Query) needs to be on a single line as as string. diff --git a/src/SecurityInsights/SecurityInsights.Autorest/examples/New-AzSentinelAutomationRule.md b/src/SecurityInsights/SecurityInsights.Autorest/examples/New-AzSentinelAutomationRule.md index 4a94125b5efc..50f59819bdf3 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/examples/New-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/examples/New-AzSentinelAutomationRule.md @@ -1,7 +1,7 @@ ### Example 1: Create an Automation Rule using Run Playbook ```powershell $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myResourceGroup" -Name "Reset-AADPassword" - $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.AutomationRuleRunPlaybookAction]::new() $automationRuleAction.Order = 1 $automationRuleAction.ActionType = "RunPlaybook" $automationRuleAction.ActionConfigurationLogicAppResourceId = ($LogicAppResourceId.Id) @@ -13,7 +13,7 @@ This command creates an Automation Rule that has an Action of Run Playbook. ### Example 2: Creates an Automation Rule that has an Action of changing the severity ```powershell - $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleModifyPropertiesAction]::new() + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.AutomationRuleModifyPropertiesAction]::new() $automationRuleAction.Order = 1 $automationRuleAction.ActionType = "ModifyProperties" $automationRuleAction.ActionConfigurationSeverity = "Low" diff --git a/src/SecurityInsights/SecurityInsights.Autorest/examples/New-AzSentinelIncidentTeam.md b/src/SecurityInsights/SecurityInsights.Autorest/examples/New-AzSentinelIncidentTeam.md index 7086cc39ac5d..cc31db8bfd83 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/examples/New-AzSentinelIncidentTeam.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/examples/New-AzSentinelIncidentTeam.md @@ -7,7 +7,7 @@ Description : Name : Incident : NewIncident3 PrimaryChannelUrl : https://teams.microsoft.com/l/team/19:vYoGjeGlZmTEDmu0gTbrk9T_eDS4pKIkEU7UuM1IyZk1%40thread.tacv2/conversations?groupId=3c637cc5-caf1-46c7-93ac-069c6 - 4b05395&tenantId=8f21ced5-2eff-4f8d-aff1-4dbb4cee8e3d + 4b05395&tenantId=00001111-aaaa-2222-bbbb-3333cccc4444 TeamCreationTimeUtc : 2/4/2022 3:02:03 PM TeamId : 3c637cc5-caf1-46c7-93ac-069c64b05395 ``` diff --git a/src/SecurityInsights/SecurityInsights.Autorest/examples/Update-AzSentinelAlertRuleAction.md b/src/SecurityInsights/SecurityInsights.Autorest/examples/Update-AzSentinelAlertRuleAction.md index 16a4b1984b2d..7d87fcbffd4e 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/examples/Update-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/examples/Update-AzSentinelAlertRuleAction.md @@ -5,4 +5,4 @@ $LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "myLog Update-AzSentinelAlertRuleAction -ResourceGroupName "mySentinelResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "48bbf86d-540b-4a7b-9fee-2bd7d810dbed" -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value) -Id ((New-Guid).Guid) ``` -This command updates an alert rule action +This command updates an alert rule action \ No newline at end of file diff --git a/src/SecurityInsights/SecurityInsights.Autorest/examples/Update-AzSentinelAutomationRule.md b/src/SecurityInsights/SecurityInsights.Autorest/examples/Update-AzSentinelAutomationRule.md index 6ed5714047f5..6f9ba04317d0 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/examples/Update-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/SecurityInsights.Autorest/examples/Update-AzSentinelAutomationRule.md @@ -1,7 +1,7 @@ ### Example 1: Updates an automation rule ```powershell $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myResourceGroup" -Name "Reset-AADPassword" - $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.AutomationRuleRunPlaybookAction]::new() $automationRuleAction.Order = 1 $automationRuleAction.ActionType = "RunPlaybook" $automationRuleAction.ActionConfigurationLogicAppResourceId = ($LogicAppResourceId.Id) diff --git a/src/SecurityInsights/SecurityInsights.Autorest/examples/Update-AzSentinelOnboardingState.md b/src/SecurityInsights/SecurityInsights.Autorest/examples/Update-AzSentinelOnboardingState.md new file mode 100644 index 000000000000..da0130527c1a --- /dev/null +++ b/src/SecurityInsights/SecurityInsights.Autorest/examples/Update-AzSentinelOnboardingState.md @@ -0,0 +1,6 @@ +### Example 1: Update Sentinel onboarding state +```powershell +Update-AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Name "default" +``` + +This command updates the onboarding state of Sentinel. \ No newline at end of file diff --git a/src/SecurityInsights/SecurityInsights.Autorest/generate-info.json b/src/SecurityInsights/SecurityInsights.Autorest/generate-info.json index 4103d9097c74..a7d05108311e 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/generate-info.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/generate-info.json @@ -1,3 +1,3 @@ { - "generate_Id": "8ce60ebe-4f3c-4615-9375-713ee5753a02" + "generate_Id": "69d23195-08e5-4af2-9d59-4cda670a79ed" } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRule.Recording.json index cb3a1bf9660c..9264c4afa0c6 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRule.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRule.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelAlertRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "158" ], - "x-ms-client-request-id": [ "ce19bfa1-427c-4cb5-ad79-b773231600cc" ], + "x-ms-unique-id": [ "1" ], + "x-ms-client-request-id": [ "c8334311-f836-4b23-a357-5dc636f4fa66" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11999" ], - "x-ms-request-id": [ "9c8fd5a8-2fc9-4dad-9f24-ed55e3a6e9a1" ], - "x-ms-correlation-request-id": [ "9c8fd5a8-2fc9-4dad-9f24-ed55e3a6e9a1" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160647Z:9c8fd5a8-2fc9-4dad-9f24-ed55e3a6e9a1" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/5cec3b9a-519b-4690-b547-62dc53402cf1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "f5749ae0-d175-4463-ad9e-122d4b65f3cc" ], + "x-ms-correlation-request-id": [ "f5749ae0-d175-4463-ad9e-122d4b65f3cc" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074359Z:f5749ae0-d175-4463-ad9e-122d4b65f3cc" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:46 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 52C3D028D4B24026A4686107B5D51CF8 Ref B: AMS231020512027 Ref C: 2026-03-25T07:43:59Z" ], + "Date": [ "Wed, 25 Mar 2026 07:43:59 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "54782" ], + "Content-Length": [ "54770" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion\",\"name\":\"BuiltInFusion\",\"etag\":\"\\\"0600a340-0000-0100-0000-62fbb75d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Fusion\",\"properties\":{\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"alertRuleTemplateName\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"severity\":\"High\",\"enabled\":true,\"lastModifiedUtc\":\"2022-08-16T15:27:25.3857989Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e1b7c244-83f3-4fbd-b2c9-d08eaa704a85\",\"name\":\"e1b7c244-83f3-4fbd-b2c9-d08eaa704a85\",\"etag\":\"\\\"0600dc40-0000-0100-0000-62fbb9d90000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT12H\",\"matchingMethod\":\"Selected\",\"groupByEntities\":[\"Account\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId__s\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Malicious Inbox Rule, affected user {{UserId__s}}\",\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\r\\nOfficeActivity_CL\\r\\n| where Operation_s =~ \\\"New-InboxRule\\\"\\r\\n| where Parameters_s has \\\"Deleted Items\\\" or Parameters_s has \\\"Junk Email\\\" \\r\\n| extend Events=todynamic(Parameters_s)\\r\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\r\\n| where SubjectContainsWords has_any (Keywords)\\r\\nor BodyContainsWords has_any (Keywords)\\r\\nor SubjectOrBodyContainsWords has_any (Keywords)\\r\\n| extend ClientIPAddress = case( ClientIP_s has \\\".\\\", tostring(split(ClientIP_s,\\\":\\\")[0]), ClientIP_s has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_s,\\\"]\\\")[0]))), ClientIP_s )\\r\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\r\\n| extend RuleDetail = case(OfficeObjectId_s contains \u0027/\u0027 , tostring(split(OfficeObjectId_s, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId_s, \u0027\\\\\\\\\u0027)[-1]))\\r\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation_s, UserId__s, ClientIPAddress, ResultStatus_s, Keyword, OriginatingServer_s, OfficeObjectId_s, RuleDetail\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule - custom\",\"enabled\":true,\"description\":\"This rule is detecting on delete all traces of phishing email from user mailboxes\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:37:58.9257559Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/53274afe-2640-4c50-bd36-78c1c79f102c\",\"name\":\"53274afe-2640-4c50-bd36-78c1c79f102c\",\"etag\":\"\\\"0600dd40-0000-0100-0000-62fbb9d90000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[\"IP\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Medium\",\"query\":\"SigninLogs_CL\\n | where ResultType == \\\"50057\\\" \\n | where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\n disabledAccountsTargeted = dcount(UserPrincipalName_s), applicationsTargeted = dcount(AppDisplayName_s), disabledAccountSet = makeset(UserPrincipalName_s), \\n applicationSet = makeset(AppDisplayName_s)\\n by IPAddress, Type\\n | order by disabledAccountLoginAttempts desc\\n | join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n SigninLogs_CL\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName_s), successfulAccountSigninSet = makeset(UserPrincipalName_s, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on IPAddress \\n | where successfulAccountSigninCount != 0\\n | project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\n successfulAccountSigninCount, successfulAccountSigninSet, Type\\n | order by disabledAccountLoginAttempts\\n | extend timestamp = StartTime, IPCustomEntity = IPAddress\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"enabled\":true,\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"alertRuleTemplateName\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"lastModifiedUtc\":\"2022-08-16T15:37:58.9088963Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/05cd1abd-2426-4d7e-be8a-cda489ed9cce\",\"name\":\"05cd1abd-2426-4d7e-be8a-cda489ed9cce\",\"etag\":\"\\\"0600de40-0000-0100-0000-62fbb9da0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AnyAlert\",\"groupByEntities\":[],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns \\n | where isnotempty(Query)\\n | where Query in~ (domains)\\n | extend DNSName = Query\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"enabled\":true,\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"alertRuleTemplateName\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"lastModifiedUtc\":\"2022-08-16T15:37:58.8992375Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8\",\"name\":\"cab7d557-3de0-4043-8dd4-b83629755ab8\",\"etag\":\"\\\"0600e240-0000-0100-0000-62fbba160000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulem37adr\",\"enabled\":true,\"description\":\"GetAlertRulem37adr cab7d557-3de0-4043-8dd4-b83629755ab8\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:39:02.3687256Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90872ee6-8ed3-48b8-8e93-2bcb1aa6825d\",\"name\":\"90872ee6-8ed3-48b8-8e93-2bcb1aa6825d\",\"etag\":\"\\\"0600e840-0000-0100-0000-62fbba370000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveAlertRule1qafoy\",\"enabled\":true,\"description\":\"RemoveAlertRule1qafoy 90872ee6-8ed3-48b8-8e93-2bcb1aa6825d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:39:33.5961847Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/b5daebea-1da1-45a1-abb5-94ad8c8da5cb\",\"name\":\"b5daebea-1da1-45a1-abb5-94ad8c8da5cb\",\"etag\":\"\\\"0600ed40-0000-0100-0000-62fbba540000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRule81exqs\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRule81exqs b5daebea-1da1-45a1-abb5-94ad8c8da5cb\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:40:04.5582676Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e96e7960-a8a9-47a9-91f1-4207f5f82d88\",\"name\":\"e96e7960-a8a9-47a9-91f1-4207f5f82d88\",\"etag\":\"\\\"0600ef40-0000-0100-0000-62fbba750000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateAlertRulejkg1z9\",\"enabled\":true,\"description\":\"UpdateAlertRulejkg1z9 e96e7960-a8a9-47a9-91f1-4207f5f82d88\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:40:36.025072Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/658a3691-0950-4176-bc12-e3e4d4b52335\",\"name\":\"658a3691-0950-4176-bc12-e3e4d4b52335\",\"etag\":\"\\\"0600f040-0000-0100-0000-62fbba950000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdAlertRuler0cz6k\",\"enabled\":true,\"description\":\"UpdateViaIdAlertRuler0cz6k 658a3691-0950-4176-bc12-e3e4d4b52335\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:41:08.8217126Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2\",\"name\":\"3f8b701e-a084-40d7-8f4b-a6b1482e8cc2\",\"etag\":\"\\\"0600f440-0000-0100-0000-62fbbac10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetalertRuleActionRuleName2iy1g6\",\"enabled\":true,\"description\":\"GetalertRuleActionRuleName2iy1g6 3f8b701e-a084-40d7-8f4b-a6b1482e8cc2\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:41:52.5613781Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/7ebb90bb-a57a-42f6-8a23-a0393c176560\",\"name\":\"7ebb90bb-a57a-42f6-8a23-a0393c176560\",\"etag\":\"\\\"0600f740-0000-0100-0000-62fbbae20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemovealertRuleActionRuleName1ui932\",\"enabled\":true,\"description\":\"RemovealertRuleActionRuleName1ui932 7ebb90bb-a57a-42f6-8a23-a0393c176560\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:42:24.0884995Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e5a90aef-2e88-486c-a745-66f415230a61\",\"name\":\"e5a90aef-2e88-486c-a745-66f415230a61\",\"etag\":\"\\\"0600f840-0000-0100-0000-62fbbb000000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdalertRuleActionRuleNametq71f5\",\"enabled\":true,\"description\":\"RemoveViaIdalertRuleActionRuleNametq71f5 e5a90aef-2e88-486c-a745-66f415230a61\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:42:55.4746161Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/f04b319e-dc64-427b-8640-eef21b6fb5cd\",\"name\":\"f04b319e-dc64-427b-8640-eef21b6fb5cd\",\"etag\":\"\\\"0600fc40-0000-0100-0000-62fbbb230000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdatealertRuleActionRuleNamehp3sur\",\"enabled\":true,\"description\":\"UpdatealertRuleActionRuleNamehp3sur f04b319e-dc64-427b-8640-eef21b6fb5cd\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:43:31.1186326Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90b62f2e-9b96-4bfb-a82a-5ceed7cd487e\",\"name\":\"90b62f2e-9b96-4bfb-a82a-5ceed7cd487e\",\"etag\":\"\\\"0600fd40-0000-0100-0000-62fbbb410000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdalertRuleActionRuleNameyb5ilx\",\"enabled\":true,\"description\":\"UpdateViaIdalertRuleActionRuleNameyb5ilx 90b62f2e-9b96-4bfb-a82a-5ceed7cd487e\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:43:58.9931835Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3831a4ff-b6c9-413b-b1e1-6939da17f4b1\",\"name\":\"3831a4ff-b6c9-413b-b1e1-6939da17f4b1\",\"etag\":\"\\\"06006541-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Intrusion Detection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Intrusion Detection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6133876Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/278781f7-07bf-42e2-a02a-e5ab74e29991\",\"name\":\"278781f7-07bf-42e2-a02a-e5ab74e29991\",\"etag\":\"\\\"06006641-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Unified Communications \u0026 Collaboration\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) UCC Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6134901Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/7cd85217-8d3b-4ec1-b99c-589a49c492db\",\"name\":\"7cd85217-8d3b-4ec1-b99c-589a49c492db\",\"etag\":\"\\\"06006741-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Resiliency\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Resiliency Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6114797Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/b96548d0-9060-4f75-8006-28e7b7af9ce6\",\"name\":\"b96548d0-9060-4f75-8006-28e7b7af9ce6\",\"etag\":\"\\\"06006841-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027DNS\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) DNS Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6152038Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/6698a851-845e-4145-92c8-f6ec017454c6\",\"name\":\"6698a851-845e-4145-92c8-f6ec017454c6\",\"etag\":\"\\\"06006941-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Universal Security Capabilities\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Universal Security Capabilities Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6243928Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/abb6d8a7-279d-4e65-b104-c37bfdf7938a\",\"name\":\"abb6d8a7-279d-4e65-b104-c37bfdf7938a\",\"etag\":\"\\\"06006a41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Data Protection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Data Protection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6176959Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/31a2f4dd-07c5-4b59-b5f5-cdb3b96090f0\",\"name\":\"31a2f4dd-07c5-4b59-b5f5-cdb3b96090f0\",\"etag\":\"\\\"06006b41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Enterprise\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Enterprise Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.618616Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/0d6715bf-2e07-4317-8d34-ba4ec5c9e19b\",\"name\":\"0d6715bf-2e07-4317-8d34-ba4ec5c9e19b\",\"etag\":\"\\\"06006c41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Networking\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Networking Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6176672Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/5004b7e9-d0d1-44da-ada0-a9937d21660d\",\"name\":\"5004b7e9-d0d1-44da-ada0-a9937d21660d\",\"etag\":\"\\\"06006d41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Web\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Web Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6290249Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/1490edac-8296-457c-9acc-7ca5429e43cc\",\"name\":\"1490edac-8296-457c-9acc-7ca5429e43cc\",\"etag\":\"\\\"06006e41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Files\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Files Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6495698Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/108bf7e1-f705-4447-9a72-9bd6f510e1c1\",\"name\":\"108bf7e1-f705-4447-9a72-9bd6f510e1c1\",\"etag\":\"\\\"06006f41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Email\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Email Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6572279Z\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion\",\"name\":\"BuiltInFusion\",\"etag\":\"\\\"60003777-0000-0100-0000-69c38b070000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Fusion\",\"properties\":{\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Microsoft Entra ID Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"alertRuleTemplateName\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"severity\":\"High\",\"enabled\":true,\"lastModifiedUtc\":\"2026-03-25T07:13:11.3095444Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/7d7980a7-4d27-42b8-afa5-e98396b43837\",\"name\":\"7d7980a7-4d27-42b8-afa5-e98396b43837\",\"etag\":\"\\\"600007b6-0000-0100-0000-69c38d7e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AnyAlert\",\"groupByEntities\":[],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns \\n | where isnotempty(Query)\\n | where Query in~ (domains)\\n | extend DNSName = Query\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"enabled\":true,\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"alertRuleTemplateName\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"lastModifiedUtc\":\"2026-03-25T07:23:41.4784143Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/09115ed5-df21-42aa-92a5-d7b72d8b551b\",\"name\":\"09115ed5-df21-42aa-92a5-d7b72d8b551b\",\"etag\":\"\\\"60001eb6-0000-0100-0000-69c38d7f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT12H\",\"matchingMethod\":\"Selected\",\"groupByEntities\":[\"Account\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId__s\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Malicious Inbox Rule, affected user {{UserId__s}}\",\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\r\\nOfficeActivity_CL\\r\\n| where Operation_s =~ \\\"New-InboxRule\\\"\\r\\n| where Parameters_s has \\\"Deleted Items\\\" or Parameters_s has \\\"Junk Email\\\" \\r\\n| extend Events=todynamic(Parameters_s)\\r\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\r\\n| where SubjectContainsWords has_any (Keywords)\\r\\nor BodyContainsWords has_any (Keywords)\\r\\nor SubjectOrBodyContainsWords has_any (Keywords)\\r\\n| extend ClientIPAddress = case( ClientIP_s has \\\".\\\", tostring(split(ClientIP_s,\\\":\\\")[0]), ClientIP_s has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_s,\\\"]\\\")[0]))), ClientIP_s )\\r\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\r\\n| extend RuleDetail = case(OfficeObjectId_s contains \u0027/\u0027 , tostring(split(OfficeObjectId_s, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId_s, \u0027\\\\\\\\\u0027)[-1]))\\r\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation_s, UserId__s, ClientIPAddress, ResultStatus_s, Keyword, OriginatingServer_s, OfficeObjectId_s, RuleDetail\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule - custom\",\"enabled\":true,\"description\":\"This rule is detecting on delete all traces of phishing email from user mailboxes\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:23:41.4848473Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/5fa8a509-b73d-4f80-a32c-c6ff8dbbfb07\",\"name\":\"5fa8a509-b73d-4f80-a32c-c6ff8dbbfb07\",\"etag\":\"\\\"600051b6-0000-0100-0000-69c38d800000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[\"IP\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Medium\",\"query\":\"SigninLogs_CL\\n | where ResultType == \\\"50057\\\" \\n | where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\n disabledAccountsTargeted = dcount(UserPrincipalName_s), applicationsTargeted = dcount(AppDisplayName_s), disabledAccountSet = makeset(UserPrincipalName_s), \\n applicationSet = makeset(AppDisplayName_s)\\n by IPAddress, Type\\n | order by disabledAccountLoginAttempts desc\\n | join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n SigninLogs_CL\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName_s), successfulAccountSigninSet = makeset(UserPrincipalName_s, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on IPAddress \\n | where successfulAccountSigninCount != 0\\n | project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\n successfulAccountSigninCount, successfulAccountSigninSet, Type\\n | order by disabledAccountLoginAttempts\\n | extend timestamp = StartTime, IPCustomEntity = IPAddress\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"enabled\":true,\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"alertRuleTemplateName\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"lastModifiedUtc\":\"2026-03-25T07:23:41.4801209Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"name\":\"b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"etag\":\"\\\"600083b7-0000-0100-0000-69c38d900000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRule9af76e\",\"enabled\":true,\"description\":\"GetAlertRule9af76e b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:23:59.9209504Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/f731873a-1985-4ead-8b08-66136867f476\",\"name\":\"f731873a-1985-4ead-8b08-66136867f476\",\"etag\":\"\\\"60003eb8-0000-0100-0000-69c38d980000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveAlertRuleziu23f\",\"enabled\":true,\"description\":\"RemoveAlertRuleziu23f f731873a-1985-4ead-8b08-66136867f476\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:24:07.9238609Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/cc5ff22b-1ea2-46b8-8695-791d141e393f\",\"name\":\"cc5ff22b-1ea2-46b8-8695-791d141e393f\",\"etag\":\"\\\"600026b9-0000-0100-0000-69c38da10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRule8z7jhl\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRule8z7jhl cc5ff22b-1ea2-46b8-8695-791d141e393f\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:24:17.0136989Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/0cbb3d2d-91b5-45c4-8945-37d919707711\",\"name\":\"0cbb3d2d-91b5-45c4-8945-37d919707711\",\"etag\":\"\\\"600046ba-0000-0100-0000-69c38dac0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateAlertRulehfjtyo\",\"enabled\":true,\"description\":\"UpdateAlertRulehfjtyo 0cbb3d2d-91b5-45c4-8945-37d919707711\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:24:26.3633374Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/fec1ccd0-78c5-41d9-b5a8-ec9b4e63ea9a\",\"name\":\"fec1ccd0-78c5-41d9-b5a8-ec9b4e63ea9a\",\"etag\":\"\\\"60002cbb-0000-0100-0000-69c38db40000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdAlertRulegtdyv4\",\"enabled\":true,\"description\":\"UpdateViaIdAlertRulegtdyv4 fec1ccd0-78c5-41d9-b5a8-ec9b4e63ea9a\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:24:34.5271423Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20\",\"name\":\"ac0954ee-b73d-4e95-8cac-f93c182a1c20\",\"etag\":\"\\\"6000ddbb-0000-0100-0000-69c38dba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetalertRuleActionRuleNamebocexs\",\"enabled\":true,\"description\":\"GetalertRuleActionRuleNamebocexs ac0954ee-b73d-4e95-8cac-f93c182a1c20\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:24:42.0078474Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/fbfa413f-423f-4546-9399-6bb4b234b07b\",\"name\":\"fbfa413f-423f-4546-9399-6bb4b234b07b\",\"etag\":\"\\\"6000a5bc-0000-0100-0000-69c38dc30000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemovealertRuleActionRuleNamer1pwq2\",\"enabled\":true,\"description\":\"RemovealertRuleActionRuleNamer1pwq2 fbfa413f-423f-4546-9399-6bb4b234b07b\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:24:51.0044427Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/bfbfe303-5fe5-41b2-a51c-ce1c8cb99b4d\",\"name\":\"bfbfe303-5fe5-41b2-a51c-ce1c8cb99b4d\",\"etag\":\"\\\"600066bd-0000-0100-0000-69c38dcb0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdalertRuleActionRuleName7jasw6\",\"enabled\":true,\"description\":\"RemoveViaIdalertRuleActionRuleName7jasw6 bfbfe303-5fe5-41b2-a51c-ce1c8cb99b4d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:24:58.5048729Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/0a7c15c8-9257-4a34-9097-b53e070bf76d\",\"name\":\"0a7c15c8-9257-4a34-9097-b53e070bf76d\",\"etag\":\"\\\"60003abe-0000-0100-0000-69c38dd40000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdatealertRuleActionRuleNamecwvk1g\",\"enabled\":true,\"description\":\"UpdatealertRuleActionRuleNamecwvk1g 0a7c15c8-9257-4a34-9097-b53e070bf76d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:25:06.4152594Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/c259c27b-4474-427f-8734-a99bee6d5d06\",\"name\":\"c259c27b-4474-427f-8734-a99bee6d5d06\",\"etag\":\"\\\"6000d1be-0000-0100-0000-69c38ddb0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdalertRuleActionRuleNameg0clnz\",\"enabled\":true,\"description\":\"UpdateViaIdalertRuleActionRuleNameg0clnz c259c27b-4474-427f-8734-a99bee6d5d06\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:25:15.1810453Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/43d832f5-5628-44bc-ba0a-e722177d0e9c\",\"name\":\"43d832f5-5628-44bc-ba0a-e722177d0e9c\",\"etag\":\"\\\"600012e5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Universal Security Capabilities\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Universal Security Capabilities Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.4575029Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/9d7e762b-b900-44e3-a08e-5f0ebad7c0b2\",\"name\":\"9d7e762b-b900-44e3-a08e-5f0ebad7c0b2\",\"etag\":\"\\\"600013e5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Intrusion Detection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Intrusion Detection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.4598767Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/e4f5026b-8080-417e-99fe-333ec1ee538c\",\"name\":\"e4f5026b-8080-417e-99fe-333ec1ee538c\",\"etag\":\"\\\"600014e5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Data Protection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Data Protection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.4584968Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/1521a426-ba01-49cd-93c7-bd844059f60a\",\"name\":\"1521a426-ba01-49cd-93c7-bd844059f60a\",\"etag\":\"\\\"600015e5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Files\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Files Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.4588864Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/52c23b0b-6a0c-4ffc-bb1d-cb7cac3bfcdb\",\"name\":\"52c23b0b-6a0c-4ffc-bb1d-cb7cac3bfcdb\",\"etag\":\"\\\"600016e5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Unified Communications \u0026 Collaboration\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) UCC Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.4609651Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b69cd91c-606b-46cb-b7d4-dfa5b1822fed\",\"name\":\"b69cd91c-606b-46cb-b7d4-dfa5b1822fed\",\"etag\":\"\\\"600017e5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027DNS\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) DNS Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.480092Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/4bb87308-b2e2-457d-92e4-b121a1931688\",\"name\":\"4bb87308-b2e2-457d-92e4-b121a1931688\",\"etag\":\"\\\"600018e5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Resiliency\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Resiliency Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.4791512Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/496e4d79-5cd7-4d6e-b2f0-0be61c26ba0f\",\"name\":\"496e4d79-5cd7-4d6e-b2f0-0be61c26ba0f\",\"etag\":\"\\\"60001ae5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Enterprise\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Enterprise Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.4961235Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/63d89b73-cfc5-4199-b765-922720095261\",\"name\":\"63d89b73-cfc5-4199-b765-922720095261\",\"etag\":\"\\\"60001be5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Web\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Web Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.5316509Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/24d18d81-0de6-4d24-9c18-3b947b38d69f\",\"name\":\"24d18d81-0de6-4d24-9c18-3b947b38d69f\",\"etag\":\"\\\"60001ce5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Email\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Email Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.5565145Z\"}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/6cbda92f-60c7-43aa-a348-7e52cbc1e627\",\"name\":\"6cbda92f-60c7-43aa-a348-7e52cbc1e627\",\"etag\":\"\\\"60001de5-0000-0100-0000-69c38f760000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Networking\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Networking Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:32:06.5988816Z\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelAlertRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "159" ], - "x-ms-client-request-id": [ "89157eb4-2bb8-4bbc-8e43-37e7b1c35ea8" ], + "x-ms-unique-id": [ "2" ], + "x-ms-client-request-id": [ "71f60d24-13b8-438c-a525-29d207568573" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +67,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11998" ], - "x-ms-request-id": [ "3cd67556-d70f-4081-afea-78635515fd98" ], - "x-ms-correlation-request-id": [ "3cd67556-d70f-4081-afea-78635515fd98" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160648Z:3cd67556-d70f-4081-afea-78635515fd98" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/5c91f677-20b4-4ee7-8628-0217fc8656c7" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "e599b720-51cc-40a9-8aec-c313f96ed1a6" ], + "x-ms-correlation-request-id": [ "e599b720-51cc-40a9-8aec-c313f96ed1a6" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074400Z:e599b720-51cc-40a9-8aec-c313f96ed1a6" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:47 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 3C7364A436A94D499F486605748B0559 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:00Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:00 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1164" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8\",\"name\":\"cab7d557-3de0-4043-8dd4-b83629755ab8\",\"etag\":\"\\\"0600e240-0000-0100-0000-62fbba160000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulem37adr\",\"enabled\":true,\"description\":\"GetAlertRulem37adr cab7d557-3de0-4043-8dd4-b83629755ab8\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:39:02.3687256Z\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"name\":\"b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"etag\":\"\\\"600083b7-0000-0100-0000-69c38d900000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRule9af76e\",\"enabled\":true,\"description\":\"GetAlertRule9af76e b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:23:59.9209504Z\"}}", "isContentBase64": false } }, - "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "160" ], - "x-ms-client-request-id": [ "57fe5617-25f0-498b-9598-335f6820bfbd" ], + "x-ms-unique-id": [ "3" ], + "x-ms-client-request-id": [ "dad432f5-9d98-4e5c-a378-1cf13f345b94" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,37 +112,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11997" ], - "x-ms-request-id": [ "ba7e2f26-7053-435a-8920-aec03f410ba1" ], - "x-ms-correlation-request-id": [ "ba7e2f26-7053-435a-8920-aec03f410ba1" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160648Z:ba7e2f26-7053-435a-8920-aec03f410ba1" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/dcf0d16b-6f2e-486d-9859-1aa67735e441" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "4c1e7748-0738-4c67-8672-1b71521ae158" ], + "x-ms-correlation-request-id": [ "4c1e7748-0738-4c67-8672-1b71521ae158" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074401Z:4c1e7748-0738-4c67-8672-1b71521ae158" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:47 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: D22AEACFDFF84735A3BFF9380F46AFDA Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:01Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:00 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1164" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8\",\"name\":\"cab7d557-3de0-4043-8dd4-b83629755ab8\",\"etag\":\"\\\"0600e240-0000-0100-0000-62fbba160000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulem37adr\",\"enabled\":true,\"description\":\"GetAlertRulem37adr cab7d557-3de0-4043-8dd4-b83629755ab8\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:39:02.3687256Z\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"name\":\"b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"etag\":\"\\\"600083b7-0000-0100-0000-69c38d900000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRule9af76e\",\"enabled\":true,\"description\":\"GetAlertRule9af76e b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:23:59.9209504Z\"}}", "isContentBase64": false } }, - "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview+2": { + "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "161" ], - "x-ms-client-request-id": [ "5a43283e-69d6-4a20-ba0d-f07003ca6f47" ], + "x-ms-unique-id": [ "4" ], + "x-ms-client-request-id": [ "cb04c19a-ef00-441f-b522-c1076969c0af" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -145,21 +157,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11996" ], - "x-ms-request-id": [ "bf74d2e9-1095-4dd0-a3ba-4a4b537ec3d2" ], - "x-ms-correlation-request-id": [ "bf74d2e9-1095-4dd0-a3ba-4a4b537ec3d2" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160648Z:bf74d2e9-1095-4dd0-a3ba-4a4b537ec3d2" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/f21ba371-36fe-4209-8b96-35feb751d7e0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "dde0c235-ba42-4cee-921f-70ee60bd2efe" ], + "x-ms-correlation-request-id": [ "dde0c235-ba42-4cee-921f-70ee60bd2efe" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074402Z:dde0c235-ba42-4cee-921f-70ee60bd2efe" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:47 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 36AAC7B8ED654FF68C0D873B02852F49 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:01Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:01 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1164" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8\",\"name\":\"cab7d557-3de0-4043-8dd4-b83629755ab8\",\"etag\":\"\\\"0600e240-0000-0100-0000-62fbba160000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulem37adr\",\"enabled\":true,\"description\":\"GetAlertRulem37adr cab7d557-3de0-4043-8dd4-b83629755ab8\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:39:02.3687256Z\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"name\":\"b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"etag\":\"\\\"600083b7-0000-0100-0000-69c38d900000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRule9af76e\",\"enabled\":true,\"description\":\"GetAlertRule9af76e b02e5d36-1e05-445a-a542-a588eb9c88b2\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2026-03-25T07:23:59.9209504Z\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleAction.Recording.json index 307b14bb07f3..94fa2af9009d 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleAction.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleAction.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelAlertRuleAction+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleAction+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "162" ], - "x-ms-client-request-id": [ "8494de4a-516c-4699-aebf-1c93f5dcea30" ], + "x-ms-unique-id": [ "5" ], + "x-ms-client-request-id": [ "1801ede2-a4c7-45de-9221-285b594f57a5" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11995" ], - "x-ms-request-id": [ "98093655-efb4-4e46-86da-8b781f774b96" ], - "x-ms-correlation-request-id": [ "98093655-efb4-4e46-86da-8b781f774b96" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160649Z:98093655-efb4-4e46-86da-8b781f774b96" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/65ef3569-b09d-40f7-ab4d-414d5a3923ac" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "4ecc7669-1945-4435-b850-565046bc6b3d" ], + "x-ms-correlation-request-id": [ "4ecc7669-1945-4435-b850-565046bc6b3d" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074404Z:4ecc7669-1945-4435-b850-565046bc6b3d" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:48 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: C8859462A84345258EBBE7F57DC94000 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:03Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:03 GMT" ] }, "ContentHeaders": { "Content-Length": [ "727" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_3f8b701e-a084-40d7-8f4b-a6b1482e8cc2_0ad3cc1a-0d2e-44cc-854a-f5fa08f86098/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"name\":\"0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"etag\":\"\\\"be015f15-0000-0300-0000-62fbbac20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_ac0954ee-b73d-4e95-8cac-f93c182a1c20_a05bb49a-a48a-4284-ae4b-62f2618b2c89/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89\",\"name\":\"a05bb49a-a48a-4284-ae4b-62f2618b2c89\",\"etag\":\"\\\"0802bd79-0000-0300-0000-69c38dbb0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"fdce5d8d4e914b7b99bd10b290075cc2\",\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleAction+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleAction+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "163" ], - "x-ms-client-request-id": [ "651ca8ac-2c3e-400c-aa30-bbd0ce40243c" ], + "x-ms-unique-id": [ "6" ], + "x-ms-client-request-id": [ "a1510357-6d75-497f-a1c2-97c171c7dc16" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,37 +67,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11994" ], - "x-ms-request-id": [ "2f9af32a-eb7e-48c8-88b9-174412d69a51" ], - "x-ms-correlation-request-id": [ "2f9af32a-eb7e-48c8-88b9-174412d69a51" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160650Z:2f9af32a-eb7e-48c8-88b9-174412d69a51" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/06640e55-fe9c-4796-af0b-2268358b0a85" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "37aa42fc-9f4f-4b83-bfa0-485600cfb564" ], + "x-ms-correlation-request-id": [ "37aa42fc-9f4f-4b83-bfa0-485600cfb564" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074405Z:37aa42fc-9f4f-4b83-bfa0-485600cfb564" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:49 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 864B7FB6EFB44EC8BEE848454B3C4FE0 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:04Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:04 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"name\":\"0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"etag\":\"\\\"be015f15-0000-0300-0000-62fbbac20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89\",\"name\":\"a05bb49a-a48a-4284-ae4b-62f2618b2c89\",\"etag\":\"\\\"0802bd79-0000-0300-0000-69c38dbb0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"fdce5d8d4e914b7b99bd10b290075cc2\",\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "164" ], - "x-ms-client-request-id": [ "6c64fdd3-d417-4739-9659-000c9bcbde9a" ], + "x-ms-unique-id": [ "7" ], + "x-ms-client-request-id": [ "5b6733dd-e764-49aa-b7dd-8fb29a9fbef6" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,37 +112,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11993" ], - "x-ms-request-id": [ "09604d7f-6625-4b3c-ad7c-6732ea0531d6" ], - "x-ms-correlation-request-id": [ "09604d7f-6625-4b3c-ad7c-6732ea0531d6" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160650Z:09604d7f-6625-4b3c-ad7c-6732ea0531d6" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/f9c18348-ff01-462f-a0a2-defcfca6605f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "39741283-c449-4ed0-9164-9312bbe8cb5c" ], + "x-ms-correlation-request-id": [ "39741283-c449-4ed0-9164-9312bbe8cb5c" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074405Z:39741283-c449-4ed0-9164-9312bbe8cb5c" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:49 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: E2BAB5A2B6774F788EDECF3F5342FDEE Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:05Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:05 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"name\":\"0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"etag\":\"\\\"be015f15-0000-0300-0000-62fbbac20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89\",\"name\":\"a05bb49a-a48a-4284-ae4b-62f2618b2c89\",\"etag\":\"\\\"0802bd79-0000-0300-0000-69c38dbb0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"fdce5d8d4e914b7b99bd10b290075cc2\",\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview+2": { + "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "165" ], - "x-ms-client-request-id": [ "d431e921-8af6-4b0b-a0f0-00e8a6b50c9d" ], + "x-ms-unique-id": [ "8" ], + "x-ms-client-request-id": [ "ff9baf8d-708d-4cfa-b570-f4cff742380e" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -145,21 +157,25 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11992" ], - "x-ms-request-id": [ "146450f1-0e8c-41de-98c4-b269dd19a83b" ], - "x-ms-correlation-request-id": [ "146450f1-0e8c-41de-98c4-b269dd19a83b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160651Z:146450f1-0e8c-41de-98c4-b269dd19a83b" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1099" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/e8bc1881-33a3-42c2-bac4-6db90adab166" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16499" ], + "x-ms-request-id": [ "668c9f94-b909-4f49-b688-0e7c8d0eb78a" ], + "x-ms-correlation-request-id": [ "668c9f94-b909-4f49-b688-0e7c8d0eb78a" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074406Z:668c9f94-b909-4f49-b688-0e7c8d0eb78a" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:51 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 889DEE1D74C84671B2E87CB01D1C7E4E Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:06Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:06 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"name\":\"0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"etag\":\"\\\"be015f15-0000-0300-0000-62fbbac20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRules/ac0954ee-b73d-4e95-8cac-f93c182a1c20/actions/a05bb49a-a48a-4284-ae4b-62f2618b2c89\",\"name\":\"a05bb49a-a48a-4284-ae4b-62f2618b2c89\",\"etag\":\"\\\"0802bd79-0000-0300-0000-69c38dbb0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"fdce5d8d4e914b7b99bd10b290075cc2\",\"logicAppResourceId\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleTemplate.Recording.json b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleTemplate.Recording.json index 5b7c329571f3..fce1485f1796 100644 --- a/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleTemplate.Recording.json +++ b/src/SecurityInsights/SecurityInsights.Autorest/test/Get-AzSentinelAlertRuleTemplate.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelAlertRuleTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "166" ], - "x-ms-client-request-id": [ "afd845c9-c2b2-4d8e-a1b5-c47350b52f42" ], + "x-ms-unique-id": [ "9" ], + "x-ms-client-request-id": [ "99919a4c-fb6e-437f-9091-8a779a23e18c" ], "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], + "User-Agent": [ "AzurePowershell/v15.4.0", "PSVersion/v7.6.0", "Az.SecurityInsights/3.2.1" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,37 +22,41 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11991" ], - "x-ms-request-id": [ "68c6970a-ff2b-40ee-8f4d-f9bbe6a5eafa" ], - "x-ms-correlation-request-id": [ "68c6970a-ff2b-40ee-8f4d-f9bbe6a5eafa" ], - "x-ms-routing-request-id": [ "EASTUS2:20220816T160652Z:68c6970a-ff2b-40ee-8f4d-f9bbe6a5eafa" ], + "Vary": [ "Accept-Encoding" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "1098" ], + "x-ms-operation-identifier": [ "tenantId=REDACTED,objectId=REDACTED/centralus/642cd481-1d4c-4a12-a7f0-eb5be05314d1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "x-ms-ratelimit-remaining-subscription-global-reads": [ "16498" ], + "x-ms-request-id": [ "3b3fa6c6-96c9-471b-a6ea-532e4f938bce" ], + "x-ms-correlation-request-id": [ "3b3fa6c6-96c9-471b-a6ea-532e4f938bce" ], + "x-ms-routing-request-id": [ "CENTRALUS:20260325T074408Z:3b3fa6c6-96c9-471b-a6ea-532e4f938bce" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Tue, 16 Aug 2022 16:06:52 GMT" ] + "X-Cache": [ "CONFIG_NOCACHE" ], + "X-MSEdge-Ref": [ "Ref A: 8E494AA005624A8082AFCD6E60799DA7 Ref B: AMS231020512027 Ref C: 2026-03-25T07:44:07Z" ], + "Date": [ "Wed, 25 Mar 2026 07:44:07 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1435342" ], + "Content-Length": [ "1889450" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On the downloads page, click the \u0027details\u0027 button, and then replace just the filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220321.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2022-03-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated \u003e ago(1d)\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1d;\\nlet queryperiod = 7d;\\nOfficeActivity\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n//| where Operation in (\\\"Set-Mailbox\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\")\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1 and EndTime \u003e ago(queryfrequency)\\n| mv-expand UserId to typeof(string)\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount = countif(EventResult==\u0027Failure\u0027),\\n SuccessCount = countif(EventResult==\u0027Success\u0027)\\n by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| extend\\n IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy = strcat_array(ReportedBy, \\\", \\\")\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUsername\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user based on multiple authentication failures \\nand at least one successful authentication within a given time window. Note that the query does not enforce any sequence,\\nand does not require the successful authentication to occur last.\\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| where AppService_TimeGenerated \u003c ExpirationDateTime\\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \\nWebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID==4688\\n | where isnotempty(CommandLine)\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0433c8a3-9aa6-4577-beef-2ea23be41137\",\"name\":\"0433c8a3-9aa6-4577-beef-2ea23be41137\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | where TimeGenerated \u003e ago(2d)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName has \\\"Add eligible member\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\\n | extend Group = tostring(TargetResources[0].displayName)\\n | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(appName), appName, UPN)\\n | mv-expand mod_props\\n | where mod_props.displayName == \\\"Role.DisplayName\\\"\\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Account Permissions Changed\",\"description\":\"Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\\nReview any modifications to ensure they were made legitimately.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount\\n),\\n( WindowsEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where EventData has_all(\u0027Object Access\u0027, \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027,\u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027) \\n| extend ObjectServer = tostring(EventData.ObjectServer)\\n| where ObjectServer == \u0027DS\u0027\\n| extend OperationType = tostring(EventData.OperationType)\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| extend Properties = tostring(EventData.Properties)\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend \\n timestamp = TimeGenerated,\\n HostCustomEntity = Computer,\\n AccountCustomEntity = SubjectAccount\\n),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n (SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4720 - A user account was created.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid \\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n| where EventID == 4726\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4726 - A user account was deleted.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7feb859-f03e-4e8d-8b21-617be0213b13\",\"name\":\"d7feb859-f03e-4e8d-8b21-617be0213b13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where OperationName =~ \\\"Admin registered security info\\\"\\n | where ResultReason =~ \\\"Admin registered temporary access pass method for user\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Addition of a Temporary Access Pass to a Privileged Account\",\"description\":\"Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\\n Review any TAP creations to ensure they were used legitimately.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId == $right.Initiatedby\\n| project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Detecting Impossible travel with mailbox permission tampering \u0026 Privilege Escalation attempt\",\"description\":\"This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.\\nEnsure this impossible travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2022-02-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| summarize count() by AlertName, AlertSeverity, CompromisedEntity, Account, IpAddress\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue hassuffix (\\\"/workspaces/computes/delete\\\")\\n| where ActivityStatusValue =~ \\\"Succeeded\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on $left. IpAddress == $right. CallerIpAddress\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Impact\"],\"displayName\":\"Workspace deletion attempt from an infected device\",\"description\":\"This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. \\nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2022-04-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", dynamic([1]), tolower(Entities))))\\n | mv-expand domain\\n | extend domain = tostring(domain[0])\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities)\\n | mv-apply EntitiesDynamicArray on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/55073036-bb86-47d3-a85a-b113ac3d9396\",\"name\":\"55073036-bb86-47d3-a85a-b113ac3d9396\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admins=(IdentityInfo\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let known_asns = (\\n SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admins)\\n | where AutonomousSystemNumber !in (known_asns)\\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IpAddress, AutonomousSystemNumber\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Privileged User Logon from new ASN\",\"description\":\"Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| parse EventData with * \u0027TargetImage\\\"\u003e\u0027 TargetImage \\\"\u003c\\\" * \u0027GrantedAccess\\\"\u003e\u0027 GrantedAccess \\\"\u003c\\\" * \u0027CallTrace\\\"\u003e\u0027 CallTrace \\\"\u003c\\\" * \\n| where GrantedAccess == \\\"0x1FFFFF\\\" and TargetImage == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse EventData with * \u0027SourceProcessGUID\\\"\u003e\u0027 SourceProcessGUID \\\"\u003c\\\" * \u0027SourceImage\\\"\u003e\u0027 SourceImage \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Dumping LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). \\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. \\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. \\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known POLONIUM IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the POLONIUM activity group. \\n References: BLOGURL\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 25; \\nlet TimeSeriesData = \\nAzureActivity \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OperationNameValue endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller; \\nlet TimeSeriesAlerts = materialize(TimeSeriesData \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027) \\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where anomalies \u003e 0 \\n| project Caller, TimeGenerated, Total, baseline, anomalies, score \\n| where Total \u003e TotalEventsThreshold and baseline \u003e 0 ); \\nTimeSeriesAlerts \\n| where TimeGenerated \u003e (ago(endtime)) \\n| project TimeGenerated, Caller \\n| join (AzureActivity \\n| where TimeGenerated \u003e (ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Mass Cloud resource deletions Time Series Anomaly\",\"description\":\"This query generates baseline pattern of cloud resource deletions by an user and generated anomaly \\nwhen any unusual spike is detected.\\nThese anomalies from unusual or privileged users could be an indication of cloud infrastructure \\ntake-down by an adversary \",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6988c32-4f3b-4a45-8313-b46b33061a74\",\"name\":\"b6988c32-4f3b-4a45-8313-b46b33061a74\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-01T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress) by ResultType\\n| where DistinctAccounts \u003e account_threshold\\n| mv-expand IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName),\\n UserAgent = make_set(UserAgent),\\n ResultDescription = take_any(ResultDescription),\\n ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD Seamless SSO\",\"description\":\"This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ProcessCommandLine has (\u0027.wav\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ActingProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ActingProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ActingProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027.wav\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\n or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027) or (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DnsEvents\\n| where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM Actor IOCs - Feb 2022\",\"description\":\"Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.\",\"lastUpdatedDateUTC\":\"2022-03-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = @\\\"(?:\\\\?|\u0026)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated \u003e ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(requestLookback)\\n | where isnotempty(RequestURL)\\n // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Windows host username encoded in base64 web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\\nThis technique was seen usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"High\",\"query\":\"let IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//Network logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let imDnsIP = imDns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\") \\n| where msg_s has_any (IPList) | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in (\u00270.0.0.0\u0027,\u0027127.0.0.1\u0027);\\nlet ipMatch = ipsort | where IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity\\n| where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, Caller, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n), \\n( \\nDeviceNetworkEvents\\n| where RemoteIP in (ipMatch)\\n| where ActionType == \\\"InboundConnectionAccepted\\\"\\n| project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceIP \u0027:\u0027 SourcePort \u0027to \u0027 DestinationIP \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP\\n)\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(imDns (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr\\n//)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1baaaf00-655f-4de9-8ff8-312e902cda71\",\"name\":\"1baaaf00-655f-4de9-8ff8-312e902cda71\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations = (\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location);\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend City = tostring(parse_json(LocationDetails).city)\\n | extend State = tostring(parse_json(LocationDetails).state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(Place) by ServicePrincipalName, Location\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Service Principal Authentication Attempt from New Country\",\"description\":\"Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://learn.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688 and EventData has_any (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong PowerShell. \u003cbr\u003eYou can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2022-03-31T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"},{\"identifier\":\"AadTenantId\",\"columnName\":\"AADTenantId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDiagnostics\\n| where details_data_s has \\\"jndi:\\\"\\n| parse details_data_s with * \u0027${\u0027 MaliciousCommand \u0027}\u0027 *\\n| extend EncodeCmd = iff(MaliciousCommand has \u0027Base64/\u0027, split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend EncodeCmd1 = iff(MaliciousCommand has \u0027base64/\u0027, split(split(MaliciousCommand, \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode\\\")\\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \\n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"name\":\"cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add owner to application\\\"\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AddedUser = TargetResources[0].userPrincipalName\\n | mv-expand mod_props\\n | where mod_props.displayName =~ \\\"Application.DisplayName\\\"\\n | extend AppName = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AppName, AddedUser, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Ownership\",\"description\":\"Detects changes to the ownership of an appplicaiton.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#new-owner\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Executed from Non-Default Directory\",\"description\":\"The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where CommandLine has_any (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where EventID == \u00274688\u0027 and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let runningRAT_parameters = dynamic([\u0027/ui/chk\u0027, \u0027mactok=\u0027, \u0027UsRnMe=\u0027, \u0027IlocalP=\u0027, \u0027kMnD=\u0027]);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"RunningRAT request parameters\",\"description\":\"This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication\\npresence of this alert means the RunningRAT implant is likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688 and EventData has_any (procList) and EventData has \\\":\\\\\\\\recycler\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. \\n The list of these binaries are sourced from https://lolbas-project.github.io/\\n References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs=dcount(TI_ipEntity), IoCs=make_set( TI_ipEntity)\\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique \\n (\\n union \\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), dstipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=DstIpAddr, IoCIPDirection=\u0027Destination\u0027\\n ),\\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(DstIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=SrcIpAddr, IoCIPDirection=\u0027Source\u0027\\n )\\n)on $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCIPDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A network session {{IoCIPDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The {{IoCIPDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC. \u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-11-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlertDetail = \u0027Chia crypto IOC detected\u0027, FileHashAlgo = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath= replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend DomainName = tolower(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"union isfuzzy=true \\n(\\n SecurityEvent\\n | where EventID == 4738\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n ),\\n (\\n WindowsEvent\\n | where EventID == 4738 and EventData has \u00272089\u0027\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | extend UserAccountControl = tostring(EventData.UserAccountControl)\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | extend Activity=\\\"4738 - A user account was changed.\\\"\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs= dcount(TI_ipEntity), IoCs=make_set(TI_ipEntity) \\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs ) );\\nIP_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SrcIpAddr\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The IP {{SrcIpAddr}} of a web request to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"The source address {{SrcIpAddr}} of a web request for URL {{Url}} matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the source IP address is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent\\n| where EventID == 1102 and Provider == \\\"Microsoft-Windows-Eventlog\\\" \\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\\n) on Url\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold and MostFrequentTimeDeltaCount \u003e MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"NRT Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject==\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"WDigest downgrade attack\",\"description\":\"When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !endswith \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where TargetAccount !endswith \\\"$\\\"\\n| extend Activity=\\\"4722 - A user account was enabled.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4725 - A user account was disabled.\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let default_file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist(\u0027RiskyFileTypes\u0027) | extend Extension=column_ifexists(\\\"Extension\\\",\\\"\\\") | where isnotempty(Extension) | summarize make_set(Extension));\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\\n_Im_WebSession(url_has_any=file_ext_blocklist, eventresult=\u0027Success\u0027)\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]),\u0027/\u0027)[-1])\\n| extend requestedFileExt=extract(@(\\\\.\\\\w+)$,1,requestedFileName, typeof(string))\\n| where requestedFileExtension in (file_ext_blocklist)\\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\",\"customDetails\":{\"requestedFileName\":\"requestedFileName\",\"requestedFileExt\":\"requestedFileExt\",\"Username\":\"SrcUsername\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"A client made a web request to a potentially harmful file (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, \\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) == False\\n| summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount \u003e PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} pots within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Discovery\"],\"displayName\":\"Port scan detected (ASIM Network Session schema)\",\"description\":\"This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| where Events \u003e= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\\nThis detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"NRT Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used\\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n| extend Reason = coalesce(\\n column_ifexists(\\\"Reason\\\", \\\"\\\"), \\n extract(\\\"reason=(.+?)(;|$)\\\", 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where Reason !has \\\"aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n// Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let fileAccessThrehold = 10;\\nOfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberAdded\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n | join kind = inner(\\n OfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n ) on UPN\\n | where TimeDeleted \u003e TimeAdded\\n | join kind=inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n | join kind = inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where Operation == \\\"FileAccessed\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | summarize FileAccessCount = count() by OfficeObjectId\\n | where FileAccessCount \u003e fileAccessThrehold\\n ) on $left.OfficeObjectId == $right.OfficeObjectId\\n )on $left.UPN == $right.UserId\\n | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Accessed files shared by temporary external user\",\"description\":\"This detection identifies an external user is added to a Team or Teams chat\\nand shares a files which is accessed by many users (\u003e10) and the users is removed within short period of time. This might be\\nan indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2022-01-11T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"name\":\"9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let knotweed_sigs = dynamic([\\\"JumplumpDropper\\\", \\\"Jumplump\\\", \\\"Corelump\\\", \\\"Medcerc\\\", \\\"SuspModuleLoad\\\", \\\"Mexlib\\\"]);\\n let mde_data = (DeviceInfo\\n | extend DeviceName = tolower(DeviceName)\\n | join kind=rightouter ( SecurityAlert\\n | where ProviderName =~ \\\"MDATP\\\"\\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in~ (knotweed_sigs)\\n | extend CompromisedEntity = tolower(CompromisedEntity)\\n ) on $left.DeviceName == $right.CompromisedEntity);\\n let event_data = ( Event\\n | where EventID in (1006, 1009, 1116, 1119)\\n | extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))\\n | mv-expand ThreatData\\n | where tostring(ThreatData.[\\\"@Name\\\"]) == \\\"Threat Name\\\"\\n | extend EventData = parse_xml(EventData)\\n | where tostring(ThreatData.[\\\"#text\\\"]) has_any (knotweed_sigs));\\n union mde_data, event_data\\n | extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.[\\\"#text\\\"]))\\n | extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.[\\\"#text\\\"]), \\\"/\\\")[-1])\\n | extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)\\n | extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)\\n | project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"KNOTWEED AV Detection\",\"description\":\"This query looks for Microsoft Defender AV detections related to the KNOTWEED threat actor and the Corelump and Jumplump malware.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f171045-88ab-4634-baae-a7b6509f483b\",\"name\":\"5f171045-88ab-4634-baae-a7b6509f483b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let Dev0530_threats = dynamic([\\\"Trojan:Win32/SiennaPurple.A\\\", \\\"Ransom:Win32/SiennaBlue.A\\\", \\\"Ransom:Win32/SiennaBlue.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Dev-0530 actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\n_Im_NetworkSession(eventresult=\u0027Failure\u0027)\\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"Excessive number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"name\":\"f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let known_locations = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | summarize by LocationDetail);\\n let known_asn = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where isempty(DeviceDetail.deviceId)\\n | where AuthenticationRequirement == \\\"singleFactorAuthentication\\\"\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomolous Single Factor Signin\",\"description\":\"Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769 and EventData has \u00270x17\u0027 and EventData has \u00270x40810000\u0027 and EventData has \u0027krbtgt\u0027\\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType == \u00270x17\u0027\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| where TicketOptions == \u00270x40810000\u0027\\n| extend Status = tostring(EventData.Status)\\n| where Status == \u00270x0\u0027\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress = tostring(EventData.IpAddress) \\n));\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce02935c-cc67-4b77-9b96-93d9947e119a\",\"name\":\"ce02935c-cc67-4b77-9b96-93d9947e119a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"acrobatrelay.com\\\", \\\"finconsult.cc\\\", \\\"realmetaldns.com\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where DNSName in~ (DomainNames) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n), \\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession (url_has_any=DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n| where isnotempty(DNSName) \\n| where DNSName in~ (DomainNames) \\n| extend IPAddress = RemoteIp \\n), \\n( \\n DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl has_any (DomainNames) \\n| extend IPAddress = RemoteIP \\n| extend Computer = DeviceName \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n) \\n) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"KNOTWEED C2 Domains July 2022\",\"description\":\"This query looks for references to known KNOTWEED Domains in network logs.\\n This query was published July 2022.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/594c653d-719a-4c23-b028-36e3413e632e\",\"name\":\"594c653d-719a-4c23-b028-36e3413e632e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2022-05-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" *\\n| where ParentCommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k DcomLaunch\\\" and CommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe -Embedding\\\"\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Lateral Movement via DCOM\",\"description\":\"This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName);\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n | project Domains=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n | extend tld = tostring(split(domain, \u0027.\u0027)[-1])\\n | extend Event_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated \u003c ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the target URL hostname is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") and EventData has_any (scriptExtensions) \\n| where EventData has_any (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Modification of Accessibility Features\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\n Two common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \\\"sticky keys\\\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\\nRef: https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents \u003c CurrThreshold\\n| join kind = leftanti (HistoricalThreats \\n| where TotalEvents \u003e HistThreshold) on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Palo Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2022-04-20T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity = EmailSenderAddress\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\\n\\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\n_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a172107d-794c-48c0-bc26-d3349fe10b4d\",\"name\":\"a172107d-794c-48c0-bc26-d3349fe10b4d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\n(union isfuzzy=true \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) \\nand InitiatingProcessCommandLine has (\u0027sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and ActingProcessCommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(EmailEvents\\n| where SenderFromAddress == \u0027H0lyGh0st@mail2tor.com\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \\n),\\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 IOC - July 2022\",\"description\":\"Identifies a IOC match related to Dev-0530 actor across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceProcessEvents\",\"DeviceNetworkEvents\",\"EmailEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"name\":\"572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let inviting_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser)\\n | summarize by invitingUser);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser) and invitingUser !in (inviting_users)\\n | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitedUserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Guest Users Invited to Tenant by New Inviters\",\"description\":\"Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts added should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2022-04-18T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n | where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n | parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" *\\n | where ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Detecting Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" and SyslogMessage has \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" RemoteIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\n Syslog \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\\n| where TotalLogonAttempts \u003e= threshold\\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP\\n| sort by DestinationHost asc nulls last\\n| extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-01T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with large size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\"), OperationType = column_ifexists(\u0027OperationType\u0027, \\\"\\\"), ObjectValueName = column_ifexists(\u0027ObjectValueName\u0027, \\\"\\\")\\n| where ObjectName has \u0027Schedule\\\\\\\\TaskCache\\\\\\\\Tree\u0027 and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // %%1906 - Registry value deleted\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Scheduled Task Hide\",\"description\":\"This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.\u003cbr\u003eYou can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains \u003e HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( WindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion isfuzzy=true \\n(\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"CommandAndControl\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName\\n| where TimeGenerated \u003e TimeGenerated1 or isempty(TimeGenerated1)\\n| project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2022-04-21T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with reset invitation status\\\")\\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend InvitedUser = TargetResources[0].userPrincipalName\\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend\\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \\\"live.com#\\\", tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where UserType != \\\"Member\\\"\\n | where AppId has_any\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\" // Aadrm Admin Powershell\\n )\\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on parsedUser\\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"External guest invitation followed by Azure AD PowerShell signin\",\"description\":\"By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\\nRef : \u0027https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action: \u0027 Firewall_Action @\u0027\\\\.\u0027 Rest_msg\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\\n | where isnotempty(RemoteIP)\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" * \u0027ImagePath\\\"\u003e\u0027 ImagePath \\\"\u003c\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with * \u0027AccountName\\\"\u003e\u0027 AccountName \\\"\u003c\\\" *\\n|summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - Service Installation\",\"description\":\"This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.\\nRef: https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"name\":\"feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Method Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Possible Resource-Based Constrained Delegation Abuse\",\"description\":\"This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \\nThis query checks for event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670 and EventData has_any (servicelist) and EventData has \u0027Key\u0027\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688 and EventData has_any (filename) and EventData has_any (servicelist) and EventData has_any (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet UARegexMinimalString=dynamic([\u0027{\u0027,\u0027%7b\u0027, \u0027%7B\u0027]);\\nlet UARegex = @\u0027(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)\u0027;\\n(union isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where Category in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\\n),\\n(\\nW3CIISLog\\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User agent search for log4j exploitation attempt\",\"description\":\"This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) == false\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId to typeof(string)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"NRT Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.\\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection.\\nThe first CommandLine component is looking for Python decoding base64.\\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AV detections related to Tarrask malware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table \\n includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| where ipv4_is_private(SourceIP) == false\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" and ObjectClass == \\\"user\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeValue\\\"\u003e\u0027 AttributeValue \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Name (SPN) Assigned to User Account\",\"description\":\"This query identifies whether a Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \\nThis query checks for event id 5136 that the Object Class field is \\\"user\\\" and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2022-02-02T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"name\":\"a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let sha256Hashes = dynamic([\\\"78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629\\\", \\\"0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f\\\", \\\"441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964\\\", \\\"cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b\\\", \\\"fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc\\\", \\\"5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206\\\", \\\"7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc\\\", \\\"02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d\\\", \\\"7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d\\\", \\\"afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec\\\", \\\"894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53\\\", \\\"4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431\\\", \\\"c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d\\\", \\\"fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca\\\", \\\"e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"KNOTWEED File Hashes July 2022\",\"description\":\"This query looks for references to known KNOTWEED file hashes in various logs.\\n This query was published July 2022.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has_any (\\\".decode(\u0027base64\u0027)\\\", \\\"base64 --decode\\\", \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/74ed028d-e392-40b7-baef-e69627bf89d1\",\"name\":\"74ed028d-e392-40b7-baef-e69627bf89d1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\n before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\n its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData contains aadJoinRoot or EventData contains aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadJoinRoot and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274656\u0027\\n | where EventData contains keyTransportKey\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName startswith keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// Accessing Object\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where (ObjectName startswith aadJoinRoot or ObjectName contains aadRegisteredRoot) and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274663\u0027\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName contains keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"AAD Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts by the same process\\n to registry keys that provide information about an AAD joined or registered devices and Transport keys (tkpub / tkpriv).\\n This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate existing Azure AD joined devices.\\n This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin (AAD joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin (AAD registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"name\":\"a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName =~ \\\"Update user\\\"\\n | where Result =~ \\\"success\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"TargetId.UserType\\\"\\n | extend UpdatingServicePrincipal = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend UpdatingUserPrincipal = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipal), UpdatingServicePrincipal, UpdatingUserPrincipal)\\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \\\"\\\\\\\"Member\\\\\\\"\\\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \\\"\\\\\\\"Guest\\\\\\\"\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User State changed from Guest to Member\",\"description\":\"Detects when a guest account in a tenant is converted to a member of the tenant.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts converted to members should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 // Labeling the first RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n))\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10 // Labeling the second RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n))\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n))\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system\\nto another system with the same account within the 60 minutes. Additionally, if historically daily\\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\n(union isfuzzy=true \\n(SecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n)\\n);\\nlet AC_Remove = \\n( union isfuzzy=true \\n(SecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n)); \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"name\":\"f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"DeviceFileEvents\\n | where ActionType =~ \\\"FileCreated\\\"\\n | where FolderPath has \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\\\\\\\\\" \\n | where FileName endswith \\\".exe\\\" or FileName endswith \\\".dll\\\"\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"PE file dropped in Color Profile Folder\",\"description\":\"This query looks for writes of PE files to C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-26T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[3].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[2].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[3].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-12-07T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"name\":\"ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let guids = dynamic([\\\"{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\",\\\"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\",\\\"{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\", \\\"{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\", \\\"{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\"]);\\n let mde_data = DeviceRegistryEvents\\n | where ActionType =~ \\\"RegistryValueSet\\\"\\n | where RegistryKey contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where RegistryKey has_any (guids)\\n | where RegistryValueData has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\";\\n let event_data = SecurityEvent\\n | where EventID == 4657\\n | where ObjectName contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where ObjectName has_any (guids)\\n | where NewValue has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\"\\n | extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectAccount;\\n union mde_data, event_data\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"RegistryKey\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessFileName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"COM Registry Key Modified to Point to File in Color Profile Folder\",\"description\":\"This query looks for changes to COM registry keys to point to files in C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This can be used to enable COM hijacking for persistence.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-26T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceRegistryEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = Account, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://learn.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"let queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n IdentityInfo\\n | where TimeGenerated \u003e ago(queryperiod)\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\\n| extend IP = tostring(InitiatedBy.user.ipAddress)\\n| extend Target = tolower(tostring(TargetResources[0].userPrincipalName))\\n| where Target in (VIPUsers)\\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\\n// Comment out this line below, if line above is used.\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Targets\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| where AlertName =~ \\\"mass download by a single user\\\"\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project timestamp=TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| join kind=inner\\n( \\nDeviceEvents\\n| where ActionType == \\\"PnpDeviceConnected\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| project DeviceId, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds), AccountDomain,AccountName,TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, Type\\n| where DriveClass == \u0027USB\u0027 and DeviceDescription == \u0027USB Mass Storage Device\u0027\\n) on $left.Account == $right.AccountName\\n| join kind=inner \\n(\\nDeviceFileEvents\\n| where FolderPath !startswith \\\"c\\\" and FolderPath !startswith @\\\"\\\\\\\"\\n) on DeviceId\\n| project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account\\n| extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Mass Download \u0026 copy to USB device by single user\",\"description\":\"This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. \\nThis query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/492fbe35-cbac-4a8c-9059-826782e6915a\",\"name\":\"492fbe35-cbac-4a8c-9059-826782e6915a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | extend Action = tostring(mod_props.displayName)\\n | where Action contains \\\"Url\\\"\\n | extend OldURL = tostring(mod_props.oldValue)\\n | extend NewURL = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, Action, AppName, OldURL, NewURL, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURL\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURL\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Logout URL\",\"description\":\"Detects changes to an applications sign out URL.\\n Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"name\":\"0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName =~ \\\"Update role setting in PIM\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Changes to PIM Settings\",\"description\":\"PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\\n Monitor these changes to ensure they are being made legitimately and don\u0027t confer more privileges than expected or reduce the security of a PIM elevation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.2\",\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated \u003e ago(1d)\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n // This will likely apply to multiple hosts so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, TargetUserSid, Reason\\n)\\n);\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let queryperiod = 1d;\\nlet mode = \u0027Blocked\u0027;\\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet sessionBin = 30m;\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027 and action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n| join kind = inner(\\n AzureDiagnostics\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where Category == \u0027ApplicationGatewayAccessLog\u0027 and (isempty(httpStatus_d) or httpStatus_d in (successCode))\\n | extend TimeKey = bin(TimeGenerated, sessionBin)\\n) on TimeKey, $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s\\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\\n| extend\\n originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\"),\\n serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| summarize\\n SuccessfulAccessCount = count(),\\n UserAgents = make_set(userAgent_s, 250),\\n RequestURIs = make_set(requestUri_s, 250),\\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\\n SuccessCodes = make_set(httpStatus_d, 250),\\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\\n take_any(SessionBlockedEnded, SessionBlockedCount)\\n by hostname_s, clientIp_s, SessionBlockedStarted\\n| where SessionBlockedCount \u003e SuccessfulAccessCount\\n| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s\\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d173248-439b-4741-8b37-f63ad0c896ae\",\"name\":\"4d173248-439b-4741-8b37-f63ad0c896ae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\nWindowsEvent\\n| where EventID == \u00274688\u0027 and EventData has_any (process)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName has_any (process)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n , Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n , NewProcessId = tostring(EventData.NewProcessId)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\\\\(\\\\$Volume\\\\){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\n(union isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4688 \\n| where EventData has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(EventData has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n//consider filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n//FileName = Process\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs \\n| where TimeGenerated \u003e ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove eligible member from role\\\") \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target) by OperationName, RoleName, Initiator, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated \u003e ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") and Result == \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \\n| extend AccountCustomEntity = Target; \\nGlobalAdminsAdded \\n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime \u003c RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) \\n| where NoofAdminsRemoved \u003e 1\\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple admin membership removals from newly created admin.\",\"description\":\"This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \\n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1080fc1-13d1-479b-8340-255f0290d96c\",\"name\":\"a1080fc1-13d1-479b-8340-255f0290d96c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application Redirect URL Update\",\"description\":\"Detects the redirect URL of an app being changed.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"NRT Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"name\":\"9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category == \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | where mod_props.displayName has \\\"AppIdentifierUri\\\"\\n | extend OldURI = tostring(mod_props.oldValue)\\n | extend NewURI = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, AppName, OldURI, NewURI, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURI\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application ID URI Changed\",\"description\":\"Detects changes to an Application ID URI.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email received with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"imProcess\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", \\\"-q\\\")\\n | where Process !endswith \\\"sdelete.exe\\\"\\n | where CommandLine !has \\\"sdelete\\\"\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days.\\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25a7f951-54b7-4cf5-9862-ebc04306c590\",\"name\":\"25a7f951-54b7-4cf5-9862-ebc04306c590\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | summarize by userPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CAPolicyName = tostring(TargetResources[0].displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where userPrincipalName !in (known_users)\\n | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue\\n | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue\\n | project-reorder TimeGenerated, OperationName, CAPolicyName, userPrincipalName, ipAddress, NewPolicyValues, OldPolicyValues\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Conditional Access Policy Modified by New User\",\"description\":\"Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.\\n A threat actor may try to modify policies to weaken the security controls in place.\\n Investigate any change to ensure they are approved.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://learn.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, \\nResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", \\n \\\"primenuesty.com\\\" \\n ]);\\nlet SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known NICKEL domains and hashes\",\"description\":\"IOC domains and hash values for tools and malware used by NICKEL. \\n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"name\":\"009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has \\\"Consent to application\\\"\\n | where Result =~ \\\"failure\\\"\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend userAgent = iif(AdditionalDetails[0].key == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\\n | where isnotempty(TargetResources)\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"MethodExecutionResult.\\\"\\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where FailureReason contains \\\"Risky\\\"\\n | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"End-user consent stopped due to risk-based consent\",\"description\":\"Detects a user\u0027s consent to an OAuth application being blocked due to it being too risky.\\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | where triCount \u003e triThreshold\\n | distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = _Im_WebSession \\n| where isnotempty(Url) \\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential communication from {{SrcIpAddr} with a Domain Generation Algorithm (DGA) based host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)\",\"description\":\"This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is. \u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n (\\nWindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any (\u0027reg add\u0027) or EventData has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId,\\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevalence, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevalence = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"Execution\"],\"displayName\":\"Azure VM Run Command operations executing a unique PowerShell script\",\"description\":\"Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.\\nThe uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports\\nand the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(ClientIP)\\n | extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]%]+)(%\\\\d+)?\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n | extend IPAddress = tostring(ClientIPValues[0])\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = TI_ipEntity, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| where RequestURL matches regex ipv4_encoded_identification_regex\\n| project TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\\n// Expand, it\u0027s still possible that we might have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// If it\u0027s not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances where an IP of a machine in our MDE estate sent it\u0027s IP in a base64 encoded string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"IP address of Windows host encoded in web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query\\njoins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine\\nwithin your network was seen with it\u0027s IP address base64 encoded in an outbounf web request. This method of egressing the IP was seen used in POLONIUM\u0027s\\nRunningRAT tool, however the detection is generic.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any (procList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Lolbins Renamed\",\"description\":\"This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// Filtering low count events per baselinethreshold\\n| where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let oneDriveCalls = dynamic([\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\u0027,\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\u0027]);\\nlet oneDriveCallsRegex = dynamic([@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content\u0027,@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content\u0027]);\\nCommonSecurityLog\\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-05T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( Event\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where EventData has \u0027wmiprvse.exe\u0027 and EventData has_any (\u0027rundll32\u0027) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-44228\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop authentication attempts with a localhost source address which can indicate a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\" and EventData has \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| parse EventData with * \u0027TargetFilename\\\"\u003e\u0027 TargetFilename \\\"\u003c\\\" *\\n| where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - File Artifacts\",\"description\":\"This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where ProviderName == \u0027MDATP\u0027\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security Alert table for MDATP hits related to the ACTINIUM actor\",\"lastUpdatedDateUTC\":\"2022-02-04T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unusual logins\\n | where EventSource == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2199398-8942-4b8c-91a9-b0a707c5d147\",\"name\":\"b2199398-8942-4b8c-91a9-b0a707c5d147\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Hive Ransomware IOC - July 2022\",\"description\":\"Identifies a hash match related to Hive Ransomware across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-05T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ has_any (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n| extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where Permission has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = iif(displayName_ =~ \u0027DelegatedPermissionGrant.Scope\u0027,\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\\n| summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure AD Role Management Permission Grant\",\"description\":\"Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company\u0027s directory.\\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DSRM Account Abuse\",\"description\":\"This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization\u0027s Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82eb796-d1eb-43c8-a813-325ce3417cef\",\"name\":\"d82eb796-d1eb-43c8-a813-325ce3417cef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(DeviceFileEvents\\n| where ActionType == \\\"FileCreated\\\"\\n| where FileName endswith \\\".h0lyenc\\\" or FolderPath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, Type, InitiatingProcessId, FileName, FolderPath, EventType = ActionType, Commandline = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256, FileHashCustomEntity = SHA256\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\" \\n| where TargetFilePath endswith \\\".h0lyenc\\\" or TargetFilePath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname, DvcId, Type, EventType, FileHashCustomEntity = TargetFileSHA256, Hash, TargetFilePath, Commandline = ActingProcessCommandLine\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 File Extension Rename\",\"description\":\"Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\n_Im_NetworkSession(starttime=querystarttime, endtime=queryendtime)\\n| where not(ipv4_is_private(DstIpAddr))\\n| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) \\nby bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}} over port {{DstPortNumber}}\",\"alertDescriptionFormat\":\"Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential beaconing activity (ASIM Network Session schema)\",\"description\":\"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\\\\\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, a Watchlist can be used\\n//let DCServersList = _GetWatchlist(\u0027HostName-DomainControllers\u0027) | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS type of your Domain Controllers\\n//| where OSType == \u0027Windows\u0027\\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing Domain Controller Heartbeat\",\"description\":\"This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n //Exclude local addresses, using the ipv4_is_private operator\\n | where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n _Im_WebSession(url_has_any=discord, eventresult=\u0027Success\u0027)\\n | where Url has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Discord CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"name\":\"4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Hive_threats = dynamic([\\\"Ransom:Win64/Hive\\\", \\\"Ransom:Win32/Hive\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Hive Ransomware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Hive Ransomware . In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device,\\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n// Uncomment below to not alert for PIM activations\\n//| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-02-16T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"name\":\"d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Administrative roles to look for, default is all admin roles\\nlet roles = dynamic([\\\"Administrator\\\", \\\"Admin\\\"]);\\n// The maximum distances between and invite and acceptance\\nlet maxTimeBetweenInviteAccept = 30min;\\n// The delta (minutes) between the invite being sent and the account being escalated\\nlet deltaBetweenInviteEscalation = 60;\\n// Collect external user invitations\\nlet invite = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Invite external user\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"userPrincipalName\\\"])\\n| extend InviteInitiator = tostring(InitiatedBy.[\\\"user\\\"].[\\\"userPrincipalName\\\"])\\n| where isnotempty(InviteInitiator);\\n// Collect redeem events\\nlet redeem = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Redeem external user invite\\\"\\n| where Result =~ \\\"success\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"displayName\\\"]) | extend Target = tostring(extract(@\\\"UPN\\\\:\\\\s(.+)\\\\,\\\\sEmail\\\",1,Target))\\n| where isnotempty(Target);\\n// Union the inivtation and redeem data then run the sequence_detect kusto plugin\\ninvite\\n| union redeem\\n| order by TimeGenerated\\n| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId\\n| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has \\\"Invite external user\\\"), redeem=(OperationName has \\\"Redeem external user invite\\\"), Target)\\n| join (\\nAuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n// Limit to external accounts\\n| where TargetResources.userPrincipalName has \\\"EXT\\\"\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n// Perform check for admin roles\\n| where RoleName has_any(roles)\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by TimeGenerated, OperationName, RoleName, Target, Initiator, Result\\n) on Target\\n// Calculate delta between the invite and the account escalation\\n| extend delta = datetime_diff(\\\"minute\\\", TimeGenerated, invite_TimeGenerated)\\n| where delta \u003c= deltaBetweenInviteEscalation\\n| project InvitationTime=invite_TimeGenerated, RedeemTime=redeem_TimeGenerated, GrantTime=TimeGenerated, ExternalUser=Target, RoleGranted=RoleName, AdminInitiator=Initiator, MinsBetweenInviteAndEscalation=delta\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ExternalUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AdminInitiator\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New External User Granted Admin\",\"description\":\"This query will detect instances where a newly invited external user is granted an administrative role. By default this query\\nwill alert on any granted administrative role, however this can be modified using the roles variable if false positives occur\\nin your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the \\ndeltaBetweenInviteEscalation variable.\",\"lastUpdatedDateUTC\":\"2022-06-16T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"name\":\"ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// Add the environments expected username format regex below before deploying\\n let user_regex = \\\"\\\";\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userAgent = tostring(AdditionalDetails[0].value)\\n | extend addingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend addingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend AddedBy = iif(isnotempty(addingUser), addingUser, addingApp)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend AddedUser = tostring(TargetResources[0].userPrincipalName)\\n | where AddedUser matches regex user_regex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Account Created Using Incorrect Naming Format\",\"description\":\"This query looks for accounts being created where the name does not match a defined pattern.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nlet ReasontoSubStatus = datatable(SubStatus:string,Reason:string) [\\n\\\"0xC000005E\\\", \\\"There are currently no logon servers available to service the logon request.\\\",\\n\\\"0xC0000064\\\", \\\"User logon with misspelled or bad user account\\\", \\n\\\"0xC000006A\\\", \\\"User logon with misspelled or bad password\\\",\\n\\\"0xC000006D\\\", \\\"Bad user name or password\\\",\\n\\\"0xC000006E\\\", \\\"Unknown user name or bad password\\\",\\n\\\"0xC000006F\\\", \\\"User logon outside authorized hours\\\",\\n\\\"0xC0000070\\\", \\\"User logon from unauthorized workstation\\\",\\n\\\"0xC0000071\\\", \\\"User logon with expired password\\\",\\n\\\"0xC0000072\\\", \\\"User logon to account disabled by administrator\\\",\\n\\\"0xC00000DC\\\", \\\"Indicates the Sam Server was in the wrong state to perform the desired operation\\\",\\n\\\"0xC0000133\\\", \\\"Clocks between DC and other computer too far out of sync\\\",\\n\\\"0xC000015B\\\", \\\"The user has not been granted the requested logon type (aka logon right) at this machine\\\",\\n\\\"0xC000018C\\\", \\\"The logon request failed because the trust relationship between the primary domain and the trusted domain failed\\\",\\n\\\"0xC0000192\\\", \\\"An attempt was made to logon, but the Netlogon service was not started\\\",\\n\\\"0xC0000193\\\", \\\"User logon with expired account\\\",\\n\\\"0xC0000224\\\", \\\"User is required to change password at next logon\\\",\\n\\\"0xC0000225\\\", \\\"Evidently a bug in Windows and not a risk\\\",\\n\\\"0xC0000234\\\", \\\"User logon with account locked\\\",\\n\\\"0xC00002EE\\\", \\\"Failure Reason: An Error occurred during Logon\\\",\\n\\\"0xC0000413\\\", \\\"Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\\\"\\n];\\n(union isfuzzy=true\\n(SecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(\\n(WindowsEvent \\n| where EventID == 4625 and not(EventData has \u00270xc0000064\u0027)\\n| extend TargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(EventData.TargetUserName endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubStatus = tostring(EventData.SubStatus)\\n| where SubStatus !=\u00270xc0000064\u0027 and TargetAccount !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"\\\")\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend Activity=\\\"4625 - An account failed to log on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend LogonType = tostring(EventData.LogonType)\\n| extend Status= tostring(EventData.Status)\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| extend WorkstationName = tostring(EventData.WorkstationName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend LogonTypeName=case(LogonType==2,\\\"2 - Interactive\\\", LogonType==3,\\\"3 - Network\\\", LogonType==4, \\\"4 - Batch\\\",LogonType==5, \\\"5 - Service\\\", LogonType==7, \\\"7 - Unlock\\\", LogonType==8, \\\"8 - NetworkCleartext\\\", LogonType==9, \\\"9 - NewCredentials\\\", LogonType==10, \\\"10 - RemoteInteractive\\\", LogonType==11, \\\"11 - CachedInteractive\\\",tostring(LogonType))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n)))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"imRegistry\\n | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory\",\"description\":\"This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, \\nIP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2022-01-30T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=\\\"403\\\")\\n| extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\\n| where NumberOfErrors \u003e error403_count_threshold\\n| sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"displayName\":\"Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\u003cbr\u003e\u003cbr\u003e\\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"name\":\"2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where OperationName in (\\\"Add eligible member (permanent)\\\", \\\"Add eligible member (eligible)\\\")\\n | extend Role = tostring(TargetResources[0].displayName)\\n | where Role contains \\\"admin\\\"\\n | extend AddedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedUser = tostring(TargetResources[2].userPrincipalName)\\n | project-reorder TimeGenerated, AddedUser, Role, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User Added to Admin Role\",\"description\":\"Detects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"name\":\"dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 10;\\n let default_ad_attributes = dynamic([\\\"LastDirSyncTime\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"Included Updated Properties\\\", \\\"AccountEnabled\\\", \\\"Action Client Name\\\", \\\"SourceAnchor\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend properties = TargetResources[0].modifiedProperties\\n | mv-expand properties\\n | evaluate bag_unpack(properties)\\n | summarize count() by displayName, TenantId\\n | where displayName !in (default_ad_attributes)\\n | top threshold by count_ desc\\n | summarize make_set(displayName) by TenantId\\n | join kind=inner (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend AccountProperties = TargetResources[0].modifiedProperties\\n | mv-expand AccountProperties\\n | extend PropName = tostring(AccountProperties.displayName)) on TenantId\\n | summarize makeset(PropName) by TimeGenerated, CorrelationId, CreatedUserPrincipalName, CreatingUserPrincipalName, tostring(set_displayName)\\n | extend missing_props = set_difference(todynamic(set_displayName), set_PropName)\\n | where array_length(missing_props) \u003e 0\\n | join kind=innerunique (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)) on CorrelationId, CreatedUserPrincipalName\\n | extend ExpectedProperties = set_displayName\\n | project-away set_displayName, set_PropName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUserPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User account created without expected attributes defined\",\"description\":\"This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Low\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n),\\n(WindowsEvent\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4720 - A user account was created.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n))\\n| join ((union isfuzzy=true\\n(SecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n// TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n),\\n( WindowsEvent \\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4732 - A member was added to a security-enabled local group.\\\"\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid)\\n))\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process endswith \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, ActingProcessId, Dvc\\n | join kind=inner (imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"name\":\"84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has_all (\\\"member to role\\\", \\\"add\\\")\\n | where Result =~ \\\"Success\\\"\\n | extend type_ = tostring(TargetResources[0].type)\\n | where type_ =~ \\\"ServicePrincipal\\\"\\n | where isnotempty(TargetResources)\\n | extend ServicePrincipal = tostring(TargetResources[0].displayName)\\n | extend SPID = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"Role.DisplayName\\\"\\n | extend TargetRole = parse_json(tostring(TargetResources_0_modifiedProperties.newValue))\\n | where TargetRole contains \\\"admin\\\"\\n | extend AddedByApp = iif(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)),\\n tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName),\\n tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n )\\n | extend AddedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(AddedByApp), AddedByApp, AddedByUser)\\n | extend IpAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, ServicePrincipal, SPID, TargetRole, AddedBy, IpAddress\\n | project-away AddedByApp, AddedByUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned Privileged Role\",\"description\":\"Detects a privileged role being added to a Service Principal.\\n Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"name\":\"3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"NRT MFA Rejected by User\",\"description\":\"Identifies occurrences where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where EventID == 4688 and EventData has \u0027rundll32.exe\u0027 and EventData has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n) )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and InitiatingProcessCommandLine has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (@\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and ActingProcessCommandLine has_any (Command_Line))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DEV-0586 Actor IOC - January 2022\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as DEV-0586\\n Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CS_ipEntity\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\\n| project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | mv-expand SingleIP = split(IPAddresses, \\\", \\\") to typeof(string)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-27T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af435ca1-fb70-4de1-92c1-7435c48482a9\",\"name\":\"af435ca1-fb70-4de1-92c1-7435c48482a9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let admin_asn = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by AutonomousSystemNumber);\\n let admin_locations = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by Location);\\n let admin_devices = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where isnotempty(deviceId)\\n | summarize by deviceId);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentications of Privileged Accounts Outside of Expected Controls\",\"description\":\"Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-11T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | extend IPAddress = RemoteIp, Host = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n | extend IPCustomEntity=IpAddr, HostCustomEntity=Hostname, AccoutCustomEntity=User\\n )\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5170c3c4-b8c9-485c-910d-a21d965ee181\",\"name\":\"5170c3c4-b8c9-485c-910d-a21d965ee181\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 30m;\\nlet accountthreshold = 10;\\nlet successCodes = dynamic([0, 50144]);\\nADFSSignInLogs\\n| extend IngestionTime = ingestion_time()\\n| where IngestionTime \u003e ago(queryfrequency)\\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \\\"Integrated Windows Authentication\\\")\\n| summarize\\n DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\\n DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\\n SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\\n arg_min(TimeGenerated, *)\\n by IPAddress\\n| where DistinctFailureCount \u003e DistinctSuccessCount and DistinctFailureCount \u003e= accountthreshold\\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\\\"null\\\"]))\\n//| mv-expand SuccessAccounts\\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against ADFSSignInLogs\",\"description\":\"Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"ADFSSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00275145\u0027 and EventData has \u0027%%4418\u0027 and EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027 \\n// %%4418 looks for presence of CreatePipeInstance value \\n| extend AccessList= tostring(EventData.AccessList)\\n| where AccessList has \u0027%%4418\u0027 \\n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd78a122-d377-415a-afe9-f22e08d2112c\",\"name\":\"dd78a122-d377-415a-afe9-f22e08d2112c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Add other permissions to this list as needed\\n let permissions = dynamic([\\\"Mail.Read\\\", \\\"offline_access\\\", \\\"Files.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\",\\n \\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"AppRole.Value\\\" or TargetResources_0_modifiedProperties.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n | extend Permissions = split((parse_json(tostring(TargetResources_0_modifiedProperties.newValue))), \\\" \\\")\\n | where Permissions has_any (permissions)\\n | summarize AddedPermissions=make_set(Permissions) by CorrelationId\\n | join kind=inner (AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\") on CorrelationId\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n | extend ServicePrincipal = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[4].newValue)))\\n | extend SPID = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[6].newValue)))\\n | extend InitiatedBy = pack(\\\"User\\\", InitiatedBy, \\\"UA\\\", UserAgent, \\\"IPAddress\\\", IpAddress)\\n | mv-expand kind=array AddedPermissions\\n | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(InitiatedBy), make_set(AddedPermissions) by SPID, ServicePrincipal\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned App Role With Sensitive Access\",\"description\":\"Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read.\\n A threat actor who compromises a Service Principal may assign it an app role to allow it to access sensitive data, or to perform other actions.\\n Ensure that any assignment to a Service Principal is valid and appropriate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"AppRole.Value\\\"\\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where AppRole has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\\n| project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\\n| join kind=innerunique (\\n AuditLogs\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n | where displayName_ =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n | where RoleName contains \\\"Admin\\\"\\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend TargetUser = tostring(TargetResources.userPrincipalName)\\n | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\\n | extend TargetType = tostring(TargetResources.type)\\n | extend TargetId = tostring(TargetResources.id)\\n | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\\n) on $left.TargetId == $right.InitiatorId\\n| extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,\\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType\\n| where TimeRoleMgGrant \u003c TimeAdminPromo\\n| project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetObject\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"displayName\":\"Admin promotion after Role Management Application Permission Grant\",\"description\":\"This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.\\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where TimeGenerated \u003e ago(starttime)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n | where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n | extend AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2022-01-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 5136 and EventData contains \\\"\u003cData Name=\\\\\\\"ObjectDN\\\\\\\"\u003eCN=AdminSDHolder,CN=System\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AdminSDHolder Modifications\",\"description\":\"This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. \\nAdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.\\nThis query searches for the event id 5136 where the Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2022-01-20T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| extend Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"NRT Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nWindowsEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.7.2\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX=10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true);\\nlet TI_IP_List=IP_TI | summarize NIPs=dcount(TI_ipEntity), IP_List=make_set( TI_ipEntity) \\n| project IP_List=iff(NIPs \u003e HAS_ANY_MAX, dynamic([]), IP_List);\\n_Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"SubType\":\"EventSubType\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName));\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Microsoft Defender for Cloud\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectUserSid, SubjectLogonId, TargetUserName, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Fake computer account created\",\"description\":\"This query detects domain user accounts creation (event ID 4720) where the username ends with $. \\nAccounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update application\\\", \\\"Certificates and secrets management\\\")\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \\n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Tarrask malware IOC - April 2022\",\"description\":\"Identifies a hash match related to Tarrask malware across various data sources.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend UserPrincipalName = extract(@\u0027([a-f0-9]{32})?(.*)\u0027, 2, tostring(TargetResources[0].userPrincipalName))\\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where OperationName =~ \\\"Add user\\\"\\n | extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | project-rename Creation_TimeGenerated = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"name\":\"ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations =\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location;\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend LocationDetails_dynamic = column_ifexists(\\\"LocationDetails_dynamic\\\", \\\"\\\")\\n | extend DeviceDetail_dynamic = column_ifexists(\\\"DeviceDetail_dynamic\\\", \\\"\\\")\\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\\n | extend City = tostring(LocationDetails.city)\\n | extend State = tostring(LocationDetails.state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend DeviceId = tostring(DeviceDetail.deviceId)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentication Attempt from New Country\",\"description\":\"Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/017e095a-94d8-430c-a047-e51a11fb737b\",\"name\":\"017e095a-94d8-430c-a047-e51a11fb737b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains =\\n SigninLogs\\n | where ResultType == 0\\n | extend domain = split(UserPrincipalName, \\\"@\\\")[1]\\n | extend domain = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tolower(tostring(domain));\\n AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where isnotempty(AddedUrls)\\n | mv-expand AddedUrls\\n | extend Domain = extract(\\\"^(?:https?:\\\\\\\\/\\\\\\\\/)?(?:[^@\\\\\\\\/\\\\\\\\n]+@)?(?:www\\\\\\\\.)?([^:\\\\\\\\/?\\\\\\\\n]+)/\\\", 1, replace_string(tolower(tostring(AddedUrls)), \u0027\\\"\u0027, \\\"\\\"))\\n | where isnotempty(Domain)\\n | extend Domain = strcat(split(Domain, \\\".\\\")[-2], \\\".\\\", split(Domain, \\\".\\\")[-1])\\n | where Domain !in (domains)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"URL Added to Application from Unknown Domain\",\"description\":\"Detects a URL being added to an application where the domain is not one that is associated with the tenant.\\n The query uses domains seen in sign in logs to determine if the domain is associated with the tenant.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\nlet wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let timeRange = 24h;\\nlet failureCountThreshold = 5;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\n table(tableName)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n| extend\\n DeviceDetail = todynamic(DeviceDetail),\\n //Status = todynamic(Status),\\n LocationDetails = todynamic(LocationDetails)\\n| extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser = tostring(DeviceDetail.browser),\\n //StatusCode = tostring(Status.errorCode),\\n //StatusDetails = tostring(Status.additionalDetails),\\n State = tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n Region = tostring(LocationDetails.countryOrRegion)\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\") \\n// bin outcomes based on authenticationWindow\\n| summarize take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @\\\"[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\")),\\n take_anyif(UserDisplayName, isnotempty(UserDisplayName)), FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType\\n// sort for sessionizing - by UserPrincipalName and time of the authentication outcome\\n| sort by UserPrincipalName asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, FailureOrSuccess == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress), make_set(Browser), make_set(City), make_set(State), make_set(Region), make_set(ResultType) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) - 1\\n| project-away SessionStartedUtc, list_FailureOrSuccess\\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= failureCountThreshold \\n// expand out ip for entity assignment\\n| mv-expand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\n let aadSignin = aadFunc(\\\"SigninLogs\\\");\\n let aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\n union isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\nDefault Failure count is 5 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5,\\n AlgorithmCustomEntity = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.\u003cbr\u003eYou can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended.\\n// For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\",\\\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2022-07-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NRT Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = (tableName: string) {\\n // Get successful signins to Teams\\n let signinData =\\n table(tableName)\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate prevalence of countries\\n let countryPrevalence =\\n signinData\\n | summarize CountCountrySignin = count() by Country\\n | extend TotalSignin = toscalar(signinData | summarize count())\\n | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate delta between the IP addresses with the most and minimum activity by user\\n let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n // Collect Team operations the user account has performed within a time range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n // Check users with activity from distinct countries\\n | where DistinctCountries \u003e= minimumCountries\\n // Check users with high IP delta\\n | where UserIPDelta \u003e= deltaThreshold\\n // Add information about signins and countries\\n | join kind = leftouter userIpSignin on UserPrincipalName\\n | join kind = leftouter countryPrevalence on Country\\n // Check activity that comes from nonprevalent countries\\n | where CountryPrevalence \u003c countryPrevalenceThreshold\\n | project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n // Check the signins occured 60 min before the Teams operations\\n | mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"name\":\"99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let core_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where ResultType == 0\\n | extend domain = tolower(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n let alternative_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where isnotempty(AlternateSignInName)\\n | where ResultType == 0\\n | extend domain = tolower(split(AlternateSignInName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add User\\\"\\n | extend AddingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddingSPN = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingSPN)\\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\\n | extend Domain = tolower(split(UserAdded, \\\"@\\\")[1])\\n | where Domain !in (core_domains) and Domain !in (alternative_domains)\\n | project-away AddingUser\\n | project-reorder TimeGenerated, UserAdded, Domain, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAdded\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account created from non-approved sources\",\"description\":\"This query looks for account being created from a domain that is not regularly seen in a tenant.\\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\n let ioc_lookBack = 14d;\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n | where isnotempty(FileHashValue)\\n | extend FileHashValue = toupper(FileHashValue)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique ( union isfuzzy=true \\n (SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n )\\n )\\n on $left.FileHashValue == $right.FileHash\\n | where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\\n | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n Process, FileHash, Computer, Account, Event, FileHashValue, FileHashType\\n | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend ClientIPOnly = tostring(extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?\u0027, dynamic([\\\"IPAddress\\\"]), ClientIP)[0][0])\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPOnly\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2022-05-24T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique ( \\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) \\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend\\ntimestamp = SecurityEvent_TimeGenerated,\\nAccountCustomEntity = TargetUserName,\\nIPCustomEntity = IpAddress,\\nHostCustomEntity = Computer,\\nURLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName = tostring(EventData.NewProcessName)\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n ));\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"AV detections related to SpringShell Vulnerability\",\"description\":\"This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\n(union isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(EventData has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"HostIp\":\"ComputerIP\",\"OSType\":\"OSType\",\"OSName\":\"OSName\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"name\":\"c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | join kind = rightanti (AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | extend ElevatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) on ElevatedRole, ElevatedUser\\n | project-reorder ElevatedUser, ElevatedRole, ResultReason,ElevatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedBy\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account Elevated to New Role\",\"description\":\"Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\\n Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"name\":\"d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let threshold = 3;\\nPulseConnectSecure\\n| where Messages contains \\\"Unauthenticated request url /dana-na/\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack\",\"description\":\"This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server\",\"lastUpdatedDateUTC\":\"2022-05-11T00:00:00Z\",\"createdDateUTC\":\"2022-05-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpose\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{Title}}\",\"alertDescriptionFormat\":\"{{Description}}\",\"alertTacticsColumnName\":\"ThreatPurpose\",\"alertSeverityColumnName\":\"Severity\"},\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"name\":\"b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let UA_threats = dynamic([\\\"FoxBlade\\\", \\\"WhisperGate\\\", \\\"Lasainraw\\\", \\\"SonicVote\\\"]);\\n SecurityAlert\\n | where ProviderName == \\\"MDATP\\\"\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in (UA_threats)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Ukraine threats\",\"description\":\"This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ \",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\" or Status has \\\"MFA denied; Phone App Reported Fraud\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.3\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName: string) {\\nlet failed_signins = table(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\";\\nlet disabled_users = failed_signins | summarize by UserPrincipalName;\\ntable(tableName)\\n | where ResultType == 0\\n | where isnotempty(UserPrincipalName)\\n | where UserPrincipalName !in (disabled_users)\\n| summarize\\n successfulAccountsTargettedCount = dcount(UserPrincipalName),\\n successfulAccountSigninSet = make_set(UserPrincipalName, 100),\\n successfulApplicationSet = make_set(AppDisplayName, 100)\\n by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountsTargettedCount < 50\\n | where isnotempty(successfulAccountsTargettedCount)\\n | join kind=inner (failed_signins\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n totalDisabledAccountLoginAttempts = count(),\\n disabledAccountsTargettedCount = dcount(UserPrincipalName),\\n applicationsTargeted = dcount(AppDisplayName),\\n disabledAccountSet = make_set(UserPrincipalName, 100),\\n disabledApplicationSet = make_set(AppDisplayName, 100)\\nby IPAddress, Type\\n| order by totalDisabledAccountLoginAttempts desc) on IPAddress\\n| project StartTime, EndTime, IPAddress, totalDisabledAccountLoginAttempts, disabledAccountsTargettedCount, disabledAccountSet, disabledApplicationSet, successfulApplicationSet, successfulAccountsTargettedCount, successfulAccountSigninSet, Type\\n| order by totalDisabledAccountLoginAttempts};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| join kind=leftouter (\\n BehaviorAnalytics\\n | where ActivityType in (\\\"FailedLogOn\\\", \\\"LogOn\\\")\\n | where EventSource =~ \\\"Azure AD\\\"\\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserPrincipalName\\n | project-rename IPAddress = SourceIPAddress\\n | summarize\\n Users = make_set(UserPrincipalName, 100),\\n UsersInsights = make_set(UsersInsights, 100),\\n DevicesInsights = make_set(DevicesInsights, 100),\\n IPInvestigationPriority = sum(InvestigationPriority)\\n by IPAddress\\n) on IPAddress\\n| extend SFRatio = toreal(toreal(disabledAccountsTargettedCount)/toreal(successfulAccountsTargettedCount))\\n| where SFRatio >= 0.5\\n| sort by IPInvestigationPriority desc\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.\",\"lastUpdatedDateUTC\":\"2023-11-23T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e147e4dc-849c-49e9-9e8b-db4581951ff4\",\"name\":\"e147e4dc-849c-49e9-9e8b-db4581951ff4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let baseline_time = 14d;\\nlet detection_time = 1h;\\nDynamics365Activity\\n| where TimeGenerated between(ago(baseline_time)..ago(detection_time))\\n| where UserType =~ 'admin'\\n| extend Message = tostring(split(OriginalObjectId, ' ')[0])\\n| summarize by UserId\\n| join kind=rightanti\\n(Dynamics365Activity\\n| where TimeGenerated > ago(detection_time)\\n| where UserType =~ 'admin')\\non UserId\\n| summarize Actions = make_set(Message), MostRecentAction = max(TimeGenerated), IPs=make_set(ClientIP), UserAgents = make_set(UserAgent) by UserId\\n| extend timestamp = MostRecentAction, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New Dynamics 365 Admin Activity\",\"description\":\"Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ > signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract('User name: ([^,]+)', 1, Message) \\n | extend ClientOS = extract('Client OS version: ([^,\\\\\\\"]+)', 1, Message)\\n | extend Location = extract('Source region: ([^,]{2})',1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"User\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with the number of failed login attempts to Entra ID \\nabove a set threshold ( default of 5 ). It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"Low\",\"query\":\"let DistinctSecretsThreshold = 10;\\nlet EventCountThreshold = 50;\\n// To avoid any False Positives, filtering using AppId is recommended.\\n// The AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\\nlet AllowedAppId = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\",\\\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\\\"]);\\nlet OperationList = dynamic([\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where OperationName in (OperationList) and ResourceType =~ \\\"VAULTS\\\"\\n| where not(identity_claim_appid_g in (AllowedAppId) and OperationName == 'VaultGet')\\n| extend\\n ResourceId,\\n ResultType = column_ifexists(\\\"ResultType\\\", \\\"\\\"),\\n identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"\\\"),\\n identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s = column_ifexists(\\\"identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\\\", \\\"\\\"),\\n identity_claim_oid_g = column_ifexists(\\\"identity_claim_oid_g\\\", \\\"\\\"),\\n identity_claim_upn_s = column_ifexists(\\\"identity_claim_upn_s\\\", \\\"\\\")\\n| extend\\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\\n| as _Retrievals\\n| where CallerObjectId in (toscalar(\\n _Retrievals\\n | where ResultType == \\\"Success\\\"\\n | summarize Count = dcount(requestUri_s) by OperationName, CallerObjectId\\n | where Count > DistinctSecretsThreshold\\n | summarize make_set(CallerObjectId,10000)\\n))\\n| extend\\n requestUri_s = column_ifexists(\\\"requestUri_s\\\", \\\"\\\"),\\n id_s = column_ifexists(\\\"id_s\\\", \\\"\\\"),\\n CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"\\\"),\\n clientInfo_s = column_ifexists(\\\"clientInfo_s\\\", \\\"\\\")\\n| summarize\\n EventCount = count(),\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n ResourceList = make_set(Resource, 50),\\n OperationNameList = make_set(OperationName, 50),\\n RequestURLList = make_set(requestUri_s, 50),\\n ResourceId = max(ResourceId),\\n CallerIPList = make_set(CallerIPAddress, 50),\\n clientInfo_sList = make_set(clientInfo_s, 50),\\n CallerIPMax = max(CallerIPAddress)\\n by ResourceType, ResultType, identity_claim_appid_g, CallerObjectId, CallerObjectUPN\\n | where EventCount > EventCountThreshold\\n| project-reorder StartTime, EndTime, EventCount, ResourceId,ResourceType,identity_claim_appid_g, CallerObjectId, CallerObjectUPN, ResultType, ResourceList, OperationNameList, RequestURLList, CallerIPList, clientInfo_sList\\n| extend timestamp = EndTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"CallerObjectId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment and also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.7\",\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\")\\n| where AccountType =~ \\\"User\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, \\nGroupAddTargetAccount = TargetAccount, GroupAddTargetUserName = TargetUserName, GroupAddTargetDomainName = TargetDomainName, GroupAddTargetSid = TargetSid, \\nGroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserName = SubjectUserName, GroupAddSubjectDomainName = SubjectDomainName, GroupAddSubjectUserSid = SubjectUserSid, \\nGroupSid = MemberSid\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType =~ \\\"User\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, \\nGroupAddTargetAccount = TargetAccount, GroupAddTargetUserName = tostring(EventData.TargetUserName), GroupAddTargetDomainName = tostring(EventData.TargetDomainName), GroupAddTargetSid = TargetSid, \\nGroupAddSubjectAccount = Account, GroupAddSubjectUserName = tostring(EventData.SubjectUserName), GroupAddSubjectDomainName = tostring(EventData.SubjectDomainName), GroupAddSubjectUserSid = SubjectUserSid, \\nGroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, \\nGroupCreateTargetAccount = TargetAccount, GroupCreateTargetUserName = TargetUserName, GroupCreateTargetDomainName = TargetDomainName,\\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserName = SubjectUserName, GroupCreateSubjectDomainName = SubjectDomainName, GroupCreateSubjectUserSid = SubjectUserSid, \\nGroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, \\nGroupCreateTargetAccount = TargetAccount, GroupCreateTargetUserName = tostring(EventData.TargetUserName), GroupCreateTargetDomainName = tostring(EventData.TargetDomainName), \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserName = tostring(EventData.SubjectUserName), GroupCreateSubjectDomainName = tostring(EventData.SubjectDomainName),GroupCreateSubjectUserSid = SubjectUserSid, \\nGroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid\\n| extend GroupCreateHostName = tostring(split(GroupCreateComputer , \\\".\\\")[0]), DomainIndex = toint(indexof(GroupCreateComputer , '.'))\\n| extend GroupCreateHostNameDomain = iff(DomainIndex != -1, substring(GroupCreateComputer , DomainIndex + 1), GroupCreateComputer)\\n| extend GroupAddHostName = tostring(split(GroupAddComputer , \\\".\\\")[0]), DomainIndex = toint(indexof(GroupAddComputer , '.'))\\n| extend GroupAddHostNameDomain = iff(DomainIndex != -1, substring(GroupAddComputer , DomainIndex + 1), GroupAddComputer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GroupCreateSubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"GroupCreateSubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"GroupCreateSubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GroupCreateTargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"GroupAddSubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"GroupAddSubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GroupCreateComputer\"},{\"identifier\":\"HostName\",\"columnName\":\"GroupCreateHostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"GroupCreateHostNameDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GroupAddComputer\"},{\"identifier\":\"HostName\",\"columnName\":\"GroupAddHostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"GroupAddHostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - SUNSPOT log file creation\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\\n or ProcessCommandLine matches regex @'\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.'\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\\nor ProcessCommandLine matches regex @'\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.'\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, '\\\\\\\\', -1)[-1]\\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\\n or ProcessCommandLine matches regex @'\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.'\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"[Deprecated] - MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic(['RC4-SHA', 'DES-CBC3-SHA']);\\nProofpointPOD\\n| where EventType == 'message'\\n| where TlsCipher in (tls_ciphers)\\n| extend IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue =~ \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has_any (\\\"Succeeded\\\", \\\"Success\\\")\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress, Scope\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, Scope\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn't successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we're aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName, Scope\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevalence, while we don't need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevalence = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime\\n| extend CallerName = tostring(split(Caller, \\\"@\\\")[0]), CallerUPNSuffix = tostring(split(Caller, \\\"@\\\")[1])\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerName, CallerUPNSuffix, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, Scope\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"CallerName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"CallerUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"VirtualMachineName\"},{\"identifier\":\"AzureID\",\"columnName\":\"Scope\"}]}],\"tactics\":[\"LateralMovement\",\"Execution\"],\"displayName\":\"Azure VM Run Command operations executing a unique PowerShell script\",\"description\":\"Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.\\nThe uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports and the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed in your environment.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * '(' DNSName ')' * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallNetworkRule\\\"\\n | where msg_s has_any (DomainNames)\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n | parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n | parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n | parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule \\n | extend IPCustomEntity = SourceIP\\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | where msg_s has_any (DomainNames)\\n | parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n | extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n | order by TimeGenerated\\n | extend IPCustomEntity = SourceIP\\n ),\\n (AZFWApplicationRule\\n | where Fqdn has_any (DomainNames)\\n | extend IPCustomEntity = SourceIp\\n ),\\n (AZFWDnsQuery\\n | where isnotempty(QueryName)\\n | where QueryName has_any (DomainNames)\\n | extend DNSName = QueryName\\n | extend IPCustomEntity = SourceIp\\n )\\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Barium domains\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.3\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"AzureID\",\"columnName\":\"_ResourceId\"}]}],\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs\\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend _parsedIntiatedByUser = parse_json(tostring(InitiatedBy.user))\\n| extend _parsedIntiatedByApp = parse_json(tostring(InitiatedBy.app))\\n| extend IPAddress = tostring(_parsedIntiatedByUser.ipAddress)\\n| extend InitiatedByUser = iff(isnotempty(tostring(_parsedIntiatedByUser.userPrincipalName)),\\n tostring(_parsedIntiatedByUser.userPrincipalName), tostring(_parsedIntiatedByApp.displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\")\\n| extend _parsedRequestParameters = parse_json(RequestParameters)\\n| extend InstanceProfileName = tostring(_parsedRequestParameters.InstanceProfileName)\\n| extend TargetUser = tostring(_parsedRequestParameters.userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, UserName = tostring(split(User, '@', 0)[0]), UPNSuffix = tostring(split(User, '@', 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Multi-Factor Authentication Disabled for a User\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to deactivate MFA for a user.\",\"lastUpdatedDateUTC\":\"2024-01-16T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * 'TargetObject\\\">' TargetObject \\\"<\\\" * 'Details\\\">' Details \\\"<\\\" * \\n| where TargetObject=~\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\\n| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"WDigest downgrade attack\",\"description\":\"When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'outbound'\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@'\\\\A(.*?)@', 1, SrcUserUpn)\\n| extend sender_domain = extract(@'@(.*)$', 1, SrcUserUpn)\\n| extend recipient = extract(@'\\\\A(.*?)@', 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@'@(.*)$', 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient's username is the same as sender's username.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = column_ifexists(\\\"ResultType\\\", \\\"NoResultType\\\"), \\nrequestUri_s = column_ifexists(\\\"requestUri_s\\\", \\\"None\\\"), \\nidentity_claim_oid_g = column_ifexists(\\\"identity_claim_oid_g\\\", \\\"None\\\"), CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), \\nclientInfo_s = column_ifexists(\\\"clientInfo_s\\\", \\\"None\\\"), \\nidentity_claim_upn_s = column_ifexists(\\\"identity_claim_upn_s\\\", \\\"None\\\"),\\nidentity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=make_list(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, identity_claim_upn_s, clientInfo_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = StartTimeUtc\\n| extend Name = tostring(split(identity_claim_upn_s,'@',0)[0]), UPNSuffix = tostring(split(identity_claim_upn_s,'@',1)[0]), AadUserId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7\",\"name\":\"58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Filter GCP Audit Logs to exclude service accounts\\nGCPAuditLogs \\n| where PrincipalEmail !endswith \\\"gserviceaccount.com\\\"\\n// Exclude system-related authentication information\\n| where AuthenticationInfo !has (\\\"system:\\\")\\n// Extract GCP request name and relevant attributes\\n| extend GCPRequestName= parse_json(Request).name\\n| extend\\n GCPAccoutType= tostring(split(GCPRequestName, \\\"/\\\")[2]),\\n GCPUserIdentity = iff(isempty(tostring(split(GCPRequestName, \\\"/\\\")[3])), tostring(parse_json(AuthenticationInfo).principalEmail), \\\"na\\\"), \\n GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\\n GCPCallerUA = tostring(parse_json(RequestMetadata).callerSuppliedUserAgent)\\n// Filter out empty or service account identities\\n| where isnotempty(GCPUserIdentity) and GCPUserIdentity !endswith \\\"gserviceaccount.com\\\"\\n// Select relevant attributes for further analysis\\n| project\\n PrincipalEmail,\\n GCPUserIdentity,\\n GCPAccoutType,\\n GCPRequestName,\\n GCPCallerUA,\\n Request,\\n RequestMetadata,\\n GCPUserIp,\\n MethodName,\\n ServiceName,\\n GCPEventTime= TimeGenerated,\\n ProjectId\\n// Join GCP Audit Logs with SecurityAlert data based on user identity and IP\\n| join kind=inner ( \\n SecurityAlert \\n // Exclude alerts from Azure Sentinel\\n | where ProductName !in (\\\"Azure Sentinel\\\")\\n // Extract IP entities from alert data\\n | extend AlertIPEntity= tostring(extract(@\\\"\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\", 0, Entities))\\n | extend\\n AlertUserUPN = tostring(extract(@'\\\\b[\\\\w\\\\.\\\\-]+@[\\\\w\\\\.\\\\-]+\\\\b', 0, Entities)),\\n AlertTime= TimeGenerated\\n // Filter out empty user identities and IP entities\\n | where isnotempty(AlertIPEntity) and isnotempty(AlertUserUPN)\\n )\\n on $left.GCPUserIdentity == $right.AlertUserUPN and $left.GCPUserIp == $right.AlertIPEntity\\n// Summarize the data, calculating time differences and aggregating attributes\\n| summarize\\n FirstAlert=min(AlertTime),\\n LastAlert=max(AlertTime),\\n TimeDiff=datetime_diff('minute', min(AlertTime), min(GCPEventTime)),\\n MethodName=make_set(MethodName),\\n ServiceName= make_set(ServiceName),\\n GCPProjctId=make_set(ProjectId),\\n Request=make_set(Request),\\n GCPCallerUA=make_set(GCPCallerUA)\\n by\\n AlertUserUPN,\\n AlertIPEntity,\\n GCPUserIp,\\n GCPUserIdentity,\\n AlertSeverity,\\n AlertName,\\n AlertLink,\\n Description,\\n Tactics,\\n ProductName,\\n SystemAlertId,\\n GCPAccoutType\\n// Extend the data with additional attributes\\n| extend\\n Name = tostring(split(GCPUserIdentity, \\\"@\\\")[0]),\\n UPNSuffix = tostring(split(GCPUserIdentity, \\\"@\\\")[1])\",\"customDetails\":{\"AlertName\":\"AlertName\",\"FirstAlert\":\"FirstAlert\",\"LastAlert\":\"LastAlert\",\"TimeDiff\":\"TimeDiff\",\"MethodName\":\"MethodName\",\"GCPProjctId\":\"GCPProjctId\",\"GCPCallerUA\":\"GCPCallerUA\",\"ServiceName\":\"ServiceName\",\"AlertUserUPN\":\"AlertUserUPN\",\"SystemAlertId\":\"SystemAlertId\",\"Tactics\":\"Tactics\",\"Request\":\"Request\",\"CorrelationWith\":\"GCPAuditLogs\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GCPUserIp\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A user {{GCPUserUPN}} has been linked to {{AlertName}}, and has potentially suspicious behavior within the GCP environment from, originating from the IP address {{GCPUserIp}}.\",\"alertDescriptionFormat\":\" This detection compiles and correlates unauthorized user access alerts originating from {{ProductName}} With Alert Description '{{Description}}' observed activity in GCP environmeny. It focuses on Microsoft Security, specifically targeting user bhaviour and network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint users suspicious activity to access both Azure and GCP resources. \\n\\n Microsoft Security ALert Link : '{{AlertLink}}'\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"AlertSeverity\"},\"tactics\":[\"InitialAccess\",\"Execution\",\"Persistence\",\"PrivilegeEscalation\",\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Cross-Cloud Suspicious user activity observed in GCP Envourment\",\"description\":\"\\nThis detection query aims to correlate potentially suspicious user activities logged in Google Cloud Platform (GCP) Audit Logs with security alerts originating from Microsoft Security products. This correlation facilitates the identification of potential cross-cloud security incidents. By summarizing these findings, the query provides valuable insights into cross-cloud identity threats and their associated details, enabling organizations to respond promptly and mitigate potential risks effectively.\\n\",\"lastUpdatedDateUTC\":\"2023-10-06T00:00:00Z\",\"createdDateUTC\":\"2023-10-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"GCPAuditLogsDefinition\",\"dataTypes\":[\"GCPAuditLogs\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated >= timeframe\\n| extend AccountName = tostring(split(surfaced_auth_user_name_s, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(surfaced_auth_user_name_s, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"surfaced_auth_user_name_s\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"surfaced_auth_access_device_ip_s\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * 'SHA256=' SHA256 ',' *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"[Deprecated] - Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"name\":\"ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let CombinedSignInLogs = union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs;\\n // Combine AADNonInteractiveUserSignInLogs and SigninLogs into a single table\\n // Fetch Azure IP address ranges data from a JSON file hosted on GitHub\\n let AzureRanges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n [\\\"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json\\\"] with(format='multijson')\\n // Load Azure IP address ranges from the JSON file hosted on GitHub\\n | mv-expand values\\n // Expand the values column into separate rows\\n | extend Name = values.name, AddressPrefixes = tostring(values.properties.addressPrefixes);\\n // Create additional columns for the name and address prefixes\\n // Identify known locations to be excluded from analysis\\n let ExcludedKnownLocations = CombinedSignInLogs\\n // Filter the combined logs based on the specified time range\\n | where TimeGenerated between (ago(14d)..ago(1d))\\n // Filter by specific ResultType\\n | where ResultType == 0\\n // Summarize the logs by location\\n | summarize by Location;\\n // Find sign-in locations matching specific criteria\\n let MatchedLocations = materialize(CombinedSignInLogs\\n // Filter the combined logs based on the specified time range\\n | where TimeGenerated > ago(1d)\\n // Exclude specific ResultTypes\\n | where ResultType !in (50126, 50053, 50074, 70044)\\n // Exclude known locations\\n | where Location !in (ExcludedKnownLocations));\\n // Match IP addresses of matched locations with Azure IP address ranges\\n let MatchedIPs = MatchedLocations\\n // Use the 'ipv4_lookup' function to match IP addresses with Azure IP address ranges\\n | evaluate ipv4_lookup(AzureRanges, IPAddress, AddressPrefixes)\\n // Project only the IPAddress column\\n | project IPAddress;\\n // Exclude IP addresses that are already matched with Azure IP address ranges\\n let MaxSetSize = 5; // Set the maximum size limit for make_set\\n let ExcludedIPs = MatchedLocations\\n // Filter out IP addresses that are already matched\\n | where not (IPAddress in (MatchedIPs))\\n // Exclude empty or null Location values\\n | where isnotempty(Location)\\n // Handle dynamic and string column values for LocationDetails and DeviceDetail\\n | extend LocationDetails_dynamic = column_ifexists(\\\"LocationDetails_dynamic\\\", \\\"\\\")\\n | extend DeviceDetail_dynamic = column_ifexists(\\\"DeviceDetail_dynamic\\\", \\\"\\\")\\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\\n // Extract location details (city and state)\\n | extend City = tostring(LocationDetails.city)\\n | extend State = tostring(LocationDetails.state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend DeviceId = tostring(DeviceDetail.deviceId)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n // Summarize the data based on UserPrincipalName, Location, and Category\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated),\\n make_set(Result, MaxSetSize), make_set(IPAddress, MaxSetSize),\\n make_set(UserAgent, MaxSetSize), make_set(Place, MaxSetSize),\\n make_set(DeviceId, MaxSetSize) by UserPrincipalName, Location, Category\\n // Extract the username prefix and suffix from UserPrincipalName\\n | extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0]);\\n ExcludedIPs // Output the final result set\\n | extend IP = set_IPAddress[0]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentication Attempt from New Country\",\"description\":\"Detects when there is a login attempt from a country that has not seen a successful login in the previous 14 days.\\nThreat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\nAuthentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin), indexId = indexof(tostring(UserIdentityPrincipalid),\\\":\\\")\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| where SessionIssuerUserName !contains \\\"AWSReservedSSO\\\"\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, indexId\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend CreatorUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CreatorIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend DeleterUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend DeleterIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update application\\\", \\\"Certificates and secrets management\\\")\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| project AADTenantId, AppID, creationTime, deletionTime, CreatorUserPrincipalName, DeleterUserPrincipalName, CreatorIPAddress, DeleterIPAddress, list_Activities, list_AssignedRoles, AliveTime\\n| extend CreatorName = tostring(split(CreatorUserPrincipalName, \\\"@\\\")[0]), CreatorUPNSuffix = tostring(split(CreatorUserPrincipalName, \\\"@\\\")[1])\\n| extend DeleterName = tostring(split(DeleterUserPrincipalName, \\\"@\\\")[0]), DeleterSuffix = tostring(split(DeleterUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatorUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"CreatorName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"CreatorUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeleterUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"DeleterName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"DeleterSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CreatorIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeleterIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend HostName = split(DeviceName, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'), FileHashAlgorithm = \\\"SHA256\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessFileName\"},{\"identifier\":\"CommandLine\",\"columnName\":\"ProcessCommandLine\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"SHA256\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"This query identifies the host and account that executed AdFind, by hash and filename, in addition to the flags commonly utilized by various threat actors during the reconnaissance phase.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.10\",\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has_any (\\\"Success\\\", \\\"Succeeded\\\")\\n// Extract data from the Authorization field\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unusual logins\\n | where EventSource == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend AccountName = tostring(split(Caller, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Caller, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address that has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName has \\\"svchost.exe\\\" and FileName has \\\"NetSetupSvc.dll\\\"\\n| extend HashAlgorithm = \\\"SHA1\\\"\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingProcessAccountDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"InitiatingProcessSHA1\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime <= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n),\\n(WindowsEvent\\n| where TimeGenerated > ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688 and EventData has_any (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| where Process has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| where TimeGenerated > ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime <= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n))\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n 'Not Available')\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend AccountName = tostring(split(InitiatedBy, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(InitiatedBy, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Microsoft Entra ID (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nunion isfuzzy=true(\\nAZFWApplicationRule\\n| where Action == \\\"Deny\\\"\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ >= [\\\"threshold\\\"]),\\n(AZFWNetworkRule\\n| where Action == \\\"Deny\\\"\\n| extend Fqdn = DestinationIp\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ >= [\\\"threshold\\\"]),\\n(AZFWFlowTrace\\n| where Action == \\\"Deny\\\"\\n| extend Fqdn = DestinationIp\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ >= [\\\"threshold\\\"]),\\n(AZFWIdpsSignature\\n| where Action == \\\"Deny\\\"\\n| extend Fqdn = DestinationIp\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ >= [\\\"threshold\\\"]),\\n(AzureDiagnostics\\n| where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n| extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n| extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n| extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n| extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n| extend Protocol = tostring(msg_a[0]), SourceIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), DestinationIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), Action = tostring(msg_a[7])\\n| where Action == \\\"Deny\\\"\\n| extend Fqdn = iff(DestinationIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",DestinationIp)\\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\\n| where count_ >= [\\\"threshold\\\"])\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIp\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Fqdn\"}]}],\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\",\"AZFWFlowTrace\",\"AZFWIdpsSignature\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Duration to look back for recent logs (1 hour)\\nlet ioc_lookBack = 14d; // Duration to look back for recent threat intelligence indicators (14 days)\\n// Create a list of top-level domains (TLDs) in our threat feed for later validation of extracted domains\\nlet list_tlds = \\n ThreatIntelligenceIndicator\\n | where isnotempty(DomainName)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now()\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, '.')\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\nlet Domain_Indicators = \\n ThreatIntelligenceIndicator\\n // Filter to pick up only IOC's that contain the entities we want (in this case, DomainName)\\n | where isnotempty(DomainName)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now()\\n | extend TI_DomainEntity = DomainName;\\nDomain_Indicators\\n // Join with CommonSecurityLog to find potential malicious activity\\n | join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n | where DeviceVendor =~ 'Palo Alto Networks'\\n | where DeviceEventClassID =~ 'url'\\n // Uncomment the line below to only alert on allowed connections\\n // | where DeviceAction !~ \\\"block-url\\\"\\n // Extract domain from RequestURL, if not present, extract it from AdditionalExtensions\\n | extend PA_Url = coalesce(RequestURL, \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !in~ ('None', 'http://None', 'https://None') and PA_Url !startswith \\\"http://\\\" and PA_Url !startswith \\\"https://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), PA_Url)\\n | extend PA_Url = iif(PA_Url !in~ ('None', 'http://None', 'https://None') and PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url)\\n | extend Domain = trim(@\\\"\\\"\\\"\\\", tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, '.')\\n // Split out the top-level domain (TLD) for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n // Validate parsed domain by checking TLD against TLDs from the threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.TI_DomainEntity == $right.Domain\\n | where CommonSecurityLog_TimeGenerated < ExpirationDateTime\\n // Group the results by IndicatorId and Domain and keep only the latest CommonSecurityLog_TimeGenerated\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\\n // Select the desired fields for the final result set\\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\\n // Add a new field 'timestamp' for convenience, using the CommonSecurityLog_TimeGenerated as its value\\n | extend timestamp = CommonSecurityLog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"PA_Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\",\\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\",\\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\",\\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2024-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic(['vip1@email.com','vip2@email.com']);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any ('_GetWatchlist(\\\"VIPUsers\\\")', \\\"_GetWatchlist('VIPUsers')\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountName = tostring(split(AADEmail, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(AADEmail, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters for specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = (tableName: string) {\\n // Get successful signins to Teams\\n let signinData =\\n table(tableName)\\n | where TimeGenerated > ago(queryperiod)\\n | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)['countryOrRegion'])\\n | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate prevalence of countries\\n let countryPrevalence =\\n signinData\\n | summarize CountCountrySignin = count() by Country\\n | extend TotalSignin = toscalar(signinData | summarize count())\\n | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate delta between the IP addresses with the most and minimum activity by user\\n let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n // Collect Team operations the user account has performed within a time range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated > ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | where not (Operation in~ (\\\"MemberAdded\\\", \\\"MemberRemoved\\\") and CommunicationType in~ (\\\"GroupChat\\\", \\\"OneonOne\\\")) // These events have been noisy and are related to initiaing chat conversation and not admin operations.\\n | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n // Check users with activity from distinct countries\\n | where DistinctCountries >= minimumCountries\\n // Check users with high IP delta\\n | where UserIPDelta >= deltaThreshold\\n // Add information about signins and countries\\n | join kind = leftouter userIpSignin on UserPrincipalName\\n | join kind = leftouter countryPrevalence on Country\\n // Check activity that comes from nonprevalent countries\\n | where CountryPrevalence < countryPrevalenceThreshold\\n | project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n // Check the signins occured 60 min before the Teams operations\\n | mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| extend AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuspiciousIP\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges). \\nPlease note, if the initial logic of prevalence to find suspicious logon activity is noisy then consider adding filtering based on Location. \\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2024-12-17T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureNetworkAnalytics_CL logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now();\\n// Perform a join between IP indicators and AzureNetworkAnalytics_CL logs for NSG Flow information\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated >= ago(dt_lookBack)\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n | extend PIPs = split(PublicIPs_s, '|', 0)\\n | extend PIP = tostring(PIPs[0])\\n )\\n on $left.TI_ipEntity == $right.PIP\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime\\n // Filter out NSG Flow logs that are not allowed (FlowStatus_s == \\\"A\\\")\\n | where FlowStatus_s == \\\"A\\\"\\n // Group the results by IndicatorId and PIP (Public IP), and keep the log entry with the latest timestamp\\n | summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\\n // Select the desired output fields\\n | project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n // Extract hostname and DNS domain from the Computer field\\n | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\\n // Rename the timestamp field\\n | extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"TI_ipEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n | extend AccountName = tostring(split(TargetAccount, @'\\\\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\\\\')[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"High\",\"query\":\"let servicelist = dynamic(['Services\\\\\\\\HealthService', 'Services\\\\\\\\Sense', 'Services\\\\\\\\WinDefend', 'Services\\\\\\\\MsSecFlt', 'Services\\\\\\\\DiagTrack', 'Services\\\\\\\\SgrmBroker', 'Services\\\\\\\\SgrmAgent', 'Services\\\\\\\\AATPSensorUpdater' , 'Services\\\\\\\\AATPSensor', 'Services\\\\\\\\mpssvc']);\\nlet filename = dynamic([\\\"subinacl.exe\\\",'SetACL.exe']);\\nlet parameters = dynamic (['/deny=SYSTEM', '/deny=S-1-5-18', '/grant=SYSTEM=r', '/grant=S-1-5-18=r', 'n:SYSTEM;p:READ', 'n1:SYSTEM;ta:remtrst;w:dacl']);\\nlet FullAccess = dynamic(['A;CI;KA;;;SY', 'A;ID;KA;;;SY', 'A;CIID;KA;;;SY']);\\nlet ReadAccess = dynamic(['A;CI;KR;;;SY', 'A;ID;KR;;;SY', 'A;CIID;KR;;;SY']);\\nlet DenyAccess = dynamic(['D;CI;KR;;;SY', 'D;ID;KR;;;SY', 'D;CIID;KR;;;SY']);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == 'Key'\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * 'OldSd\\\">' OldSd \\\"<\\\" *\\n| parse EventData with * 'NewSd\\\">' NewSd \\\"<\\\" *\\n| extend Reason = case( (OldSd has ';;;SY' and NewSd !has ';;;SY'), 'System Account is removed', (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , 'System permission has been changed to read from full access', (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), 'System account has been given denied permission', 'None')\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| where ProcessName in~ (filename)\\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4670 and EventData has_any (servicelist) and EventData has 'Key'\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == 'Key'\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd has ';;;SY' and NewSd !has ';;;SY'), 'System Account is removed', (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , 'System permission has been changed to read from full access', (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), 'System account has been given denied permission', 'None')\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4688 and EventData has_any (filename) and EventData has_any (servicelist) and EventData has_any (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ProcessName = tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| where ProcessName in~ (filename)\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated >= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename)\\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend AccountName = tostring(split(Account, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[1])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified.\\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity.\\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule\\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2024-06-14T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02f6c2e5-219d-4426-a0bf-ad67abc63d53\",\"name\":\"02f6c2e5-219d-4426-a0bf-ad67abc63d53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let lookback_start = 7d;\\nlet lookback_end = 1d;\\nlet timedelta = 5s;\\n// Get a list of previously seen DLLs being loaded\\nlet known_dlls = (Event\\n| where TimeGenerated between(ago(lookback_start)..ago(lookback_end))\\n| where EventID == 7\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend LoadedItems = parse_json(tostring(parse_json(tostring(EvData.DataItem)).EventData)).[\\\"Data\\\"]\\n| mv-expand LoadedItems\\n| where tostring(LoadedItems.[\\\"@Name\\\"]) =~ \\\"ImageLoaded\\\"\\n| extend DLL = tostring(LoadedItems.[\\\"#text\\\"])\\n| summarize by DLL);\\n// Get Image Load events related to svchost.exe\\nEvent\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n// Image Load Event in Sysmon\\n| where EventID == 7\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Images = parse_json(tostring(parse_json(tostring(EvData.DataItem)).EventData)).[\\\"Data\\\"]\\n| mv-expand Images\\n// Parse out executing process\\n| where tostring(Images.[\\\"@Name\\\"]) =~ \\\"Image\\\"\\n| extend Image = tostring(Images.[\\\"#text\\\"])\\n| where Image endswith \\\"\\\\\\\\svchost.exe\\\"\\n// Parse out loaded DLLs\\n| extend LoadedItems = parse_json(tostring(parse_json(tostring(EvData.DataItem)).EventData)).[\\\"Data\\\"]\\n| mv-expand LoadedItems\\n| where tostring(LoadedItems.[\\\"@Name\\\"]) =~ \\\"ImageLoaded\\\"\\n| extend DLL = tostring(LoadedItems.[\\\"#text\\\"])\\n| extend Image = tostring(Image)\\n| extend ImageLoadTime = TimeGenerated\\n// Join with processes with a command line related to COM Event System\\n| join kind = inner(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n// Sysmon process execution events\\n| where EventID == 1\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend ParentImage = tostring(column_ifexists(\\\"ParentImage\\\", \\\"NotAvailable\\\"))\\n// Command line related to COM Event System\\n| where ParentImage endswith \\\"\\\\\\\\svchost.exe\\\"\\n//| where ParentCommandLine has_all (\\\" -k LocalService\\\",\\\" -p\\\",\\\" -s EventSystem\\\")\\n| extend ProcessExecutionTime = TimeGenerated) on $left.Image == $right.ParentImage\\n// Check timespan between DLL load and process creation\\n| extend delta = ProcessExecutionTime - ImageLoadTime\\n| where ImageLoadTime <= ProcessExecutionTime and delta <= timedelta\\n// Filter to only newly seen DLLs\\n| where DLL !in (known_dlls)\\n| extend ParentCommandLine = tostring(column_ifexists(\\\"ParentCommandLine\\\", \\\"NotAvailable\\\"))\\n| project-reorder ImageLoadTime, ProcessExecutionTime , Image, ParentCommandLine, DLL\\n| extend Hashes = tostring(column_ifexists(\\\"Hashes\\\", \\\"NotAvailable, NotAvailable\\\"))\\n| extend Hashes = split(Hashes, \\\",\\\")\\n| mv-apply Hashes on (summarize FileHashes = make_bag(pack(tostring(split(Hashes, \\\"=\\\")[0]), tostring(split(Hashes, \\\"=\\\")[1]))))\\n| extend SHA1 = tostring(FileHashes.SHA1)\\n| extend HashAlgo = \\\"SHA1\\\"\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend Name = tostring(split(UserName, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(UserName, \\\"\\\\\\\\\\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"SHA1\"},{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgo\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"COM Event System Loading New DLL\",\"description\":\"This query uses Sysmon Image Load (Event ID 7) and Process Create (Event ID 1) data to look for COM Event System being used to load a newly seen DLL.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated > ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, '\\\\\\\\', -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated > ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, '\\\\\\\\', -1)[-1]\\n// Look for the System process receiving connections\\n| where process == 'System' and Initiated == 'false'\\n| where DestinationIp !in ('::1','0:0:0:0:0:0:0:1')\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(UserName, @'\\\\')[1]), AccountNTDomain = tostring(split(UserName, @'\\\\')[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIp\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f171045-88ab-4634-baae-a7b6509f483b\",\"name\":\"5f171045-88ab-4634-baae-a7b6509f483b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let Dev0530_threats = dynamic([\\\"Trojan:Win32/SiennaPurple.A\\\", \\\"Ransom:Win32/SiennaBlue.A\\\", \\\"Ransom:Win32/SiennaBlue.B\\\"]);\\nSecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n| join kind=inner (DeviceInfo\\n | extend DeviceName = tolower(DeviceName)\\n) on $left.CompromisedEntity == $right.DeviceName\\n| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Dev-0530 actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Dev-0530 actors.\\nIn Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AppServiceHTTPLogs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without relevant IP address fields\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n // Filtering out rows where the Confidence Score is less than 50 as they would not have an Alert Priority label. \\n | where ConfidenceScore > 50\\n // Select the IP entity based on availability of different IP fields\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n // Determine AlertPriority based on ConfidenceScore\\n | extend AlertPriority = case(ConfidenceScore > 82, \\\"High\\\",\\n ConfidenceScore > 74, \\\"Medium\\\",\\n \\\"Low\\\")\\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now();\\n// Perform a join between IP indicators and AppServiceHTTPLogs to identify potential malicious activity\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AppServiceHTTPLogs | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, '/')[8]\\n | extend AppService_TimeGenerated = TimeGenerated // Rename time column for clarity\\n )\\n on $left.TI_ipEntity == $right.CIp\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where AppService_TimeGenerated < ExpirationDateTime\\n // Group the results by IndicatorId and CIp, and keep the log entry with the latest timestamp\\n | summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\\n // Select the desired output fields\\n | project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId, Type\\n // Extract hostname and DNS domain from the CsHost field\\n | extend HostName = tostring(split(CsHost, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CsHost, '.'), 1, -1), '.'))\\n // Rename the timestamp field\\n | extend timestamp = AppService_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"CsUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CIp\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":null,\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"AlertPriority\"},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9a7f6651-801b-491c-a548-8b454b356eaa\",\"name\":\"9a7f6651-801b-491c-a548-8b454b356eaa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZincOctober2022IOCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_path = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet commandline = (iocs | where Type =~ \\\"commandline\\\" | project IoC);\\n(union isfuzzy=true \\n(DeviceNetworkEvents\\n| where InitiatingProcessFolderPath has_any (file_path) or InitiatingProcessCommandLine has_any (commandline)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where Image has_any (file_path) or CommandLine has_any (commandline)\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostEntity = Computer , AccountEntity = UserName, ProcessEntity = tostring(split(Image, '\\\\\\\\', -1)[-1])\\n), \\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path)) or ( InitiatingProcessCommandLine has_any (commandline)) or (InitiatingProcessFolderPath has_any (file_path)) or (InitiatingProcessFolderPath has_any (commandline)) or (FolderPath has_any (file_path)) or (FolderPath has_any (commandline))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = InitiatingProcessAccountName, ProcessEntity = InitiatingProcessFileName\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessFolderPath has_any (file_path)) or (InitiatingProcessFolderPath has_any (commandline)) or (FolderPath has_any (file_path)) or (FolderPath has_any (commandline)) or ( InitiatingProcessCommandLine has_any (commandline)) or ( InitiatingProcessCommandLine has_any (file_path))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = RequestAccountName, ProcessEntity = InitiatingProcessFileName, AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = InitiatingProcessSHA256\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path)) or ( InitiatingProcessCommandLine has_any (commandline)) or (InitiatingProcessFolderPath has_any (file_path)) or (InitiatingProcessFolderPath has_any (commandline)) or (FolderPath has_any (file_path)) or (FolderPath has_any (commandline))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = InitiatingProcessAccountName, ProcessEntity = InitiatingProcessFileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path)) or ( CommandLine has_any (commandline)) or (NewProcessName has_any (file_path)) or (NewProcessName has_any (commandline)) or (ParentProcessName has_any (file_path)) or (ParentProcessName has_any (commandline))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostEntity = Computer , AccountEntity = Account, ProcessEntity = NewProcessName\\n)\\n)\\n| extend HostName = tostring(split(HostEntity, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(HostEntity, '.'), 1, -1), '.'))\\n| extend Name = tostring(split(AccountEntity, '@', 0)[0]), UPNSuffix = tostring(split(AccountEntity, '@', 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"RemoteIP\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Zinc Actor IOCs files - October 2022\",\"description\":\"Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc.\\nReference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-09-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated > ago(timeframe+spanoftime)\\n // A user account was created\\n | where EventID == 4720\\n | where AccountType =~ \\\"User\\\"\\n | project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToCreate = SubjectAccount, CreatedBySubjectUserName = SubjectUserName, CreatedBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToCreate = SubjectUserSid, UserPrincipalName\\n ),\\n (\\n WindowsEvent\\n | where TimeGenerated > ago(timeframe+spanoftime)\\n // A user account was created\\n | where EventID == 4720\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType =~ \\\"User\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n | extend Activity = \\\"4720 - A user account was created.\\\"\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToCreate = SubjectAccount, CreatedBySubjectUserName = SubjectUserName, CreatedBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToCreate = SubjectUserSid, UserPrincipalName\\n )\\n )\\n| join kind = inner \\n(\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated > ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n | where AccountType == \\\"User\\\"\\n | project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToDelete = SubjectAccount, DeletedBySubjectUserName = SubjectUserName, DeletedBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToDelete = SubjectUserSid, UserPrincipalName\\n ),\\n (WindowsEvent\\n | where TimeGenerated > ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType == \\\"User\\\"\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n | extend Activity = \\\"4726 - A user account was deleted.\\\"\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToDelete = SubjectAccount, DeletedBySubjectUserName = SubjectUserName, DeletedBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToDelete = SubjectUserSid, UserPrincipalName\\n )\\n )\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime < spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) >= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete, TargetUserName, TargetDomainName, \\nCreatedBySubjectUserName, CreatedBySubjectDomainName, DeletedBySubjectUserName, DeletedBySubjectDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToCreate\"},{\"identifier\":\"Name\",\"columnName\":\"CreatedBySubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"CreatedBySubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToDelete\"},{\"identifier\":\"Name\",\"columnName\":\"DeletedBySubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"DeletedBySubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a172107d-794c-48c0-bc26-d3349fe10b4d\",\"name\":\"a172107d-794c-48c0-bc26-d3349fe10b4d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\n(union isfuzzy=true \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') \\nand InitiatingProcessCommandLine has ('sc minute /mo 1 /F /ru system'))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') and CommandLine has ('/sc minute /mo 1 /F /ru system'))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') and ActingProcessCommandLine has ('/sc minute /mo 1 /F /ru system'))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\"\\n| where (Hashes[1] has_any (sha256Hashes)) or ( CommandLine has ('cmd.exe /Q /c schtasks /create /tn lockertask /tr') and CommandLine has ('/sc minute /mo 1 /F /ru system')) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\\\\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(EmailEvents\\n| where SenderFromAddress == 'H0lyGh0st@mail2tor.com'\\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \\n),\\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\"), FileHashCustomEntity = FileHash\\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAZFWApplicationRule\\n| where Fqdn has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n),\\n(\\nAZFWNetworkRule\\n| where DestinationIp has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Dev-0530 IOC - July 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceProcessEvents\",\"DeviceNetworkEvents\",\"EmailEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists('ObjectServer', \\\"\\\"), ObjectType = column_ifexists('ObjectType', \\\"\\\"), ObjectName = column_ifexists('ObjectName', \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(TargetAccount, @'\\\\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\\\\')[0])\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| where msg_s has_any (DomainNames)\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n| parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n| parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n| parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule \\n| extend IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| where msg_s has_any (DomainNames)\\n| parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n| extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n| order by TimeGenerated\\n| extend IPCustomEntity = SourceIP\\n),\\n(AZFWApplicationRule\\n| where Fqdn has_any (DomainNames)\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Known Ruby Sleet domains and hashes\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend HostName = iff(Computer has '.', substring(Computer,0,indexof(Computer,'.')),Computer)\\n| extend DnsDomain = iff(Computer has '.', substring(Computer,indexof(Computer,'.')+1),\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Defender Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Defender Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\",\"lastUpdatedDateUTC\":\"2023-03-15T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.8\",\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion isfuzzy=true\\n(\\nSecurityEvent\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType == \\\"User\\\"\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = iff(MemberName == \\\"-\\\", MemberName, substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3))\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, \\nSubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid\\n),\\n(\\nWindowsEvent\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = iff(MemberName == \\\"-\\\", MemberName, substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3))\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName), \\nTargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), \\nSubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, \\nSubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid\\n)\\n| extend GroupAddedMemberTo = TargetAccount, AddedByAccount = SubjectAccount, AddedByAccountName = SubjectUserName, AddedByAccountDomainName = SubjectDomainName, \\nAddedByAccountSid = SubjectUserSid, AddedMemberName = SimpleMemberName, AddedMemberSid = MemberSid\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AddedMemberName\"},{\"identifier\":\"Sid\",\"columnName\":\"AddedMemberSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\" and LoggedByService =~ \\\"Core Directory\\\" and OperationName in~ (\\\"Add delegated permission grant\\\", \\\"Add app role assignment to service principal\\\")\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\\n | extend props = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = props on\\n (\\n where Property.displayName in~ (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n | extend DisplayName = tostring(Property.displayName), PermissionGrant = trim('\\\"',tostring(Property.newValue))\\n )\\n| where PermissionGrant has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| mv-apply Property = props on\\n (\\n where Property.displayName =~ \\\"ServicePrincipal.DisplayName\\\"\\n | extend TargetAppDisplayName = trim('\\\"',tostring(Property.newValue))\\n )\\n| mv-apply Property = props on\\n (\\n where Property.displayName =~ \\\"ServicePrincipal.ObjectID\\\"\\n | extend TargetAppServicePrincipalId = trim('\\\"',tostring(Property.newValue))\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| project TimeGenerated, OperationName, Result, PermissionGrant, TargetAppDisplayName, TargetAppServicePrincipalId, InitiatingAppName, InitiatingAppServicePrincipalId,\\nInitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, TargetResources, AdditionalDetails, CorrelationId\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetAppDisplayName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Microsoft Entra ID Role Management Permission Grant\",\"description\":\"Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\\nAn adversary could use this permission to add an Microsoft Entra ID object to an Admin directory role and escalate privileges.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic(['SYSTEM']);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountName = SubjectUserName, AccountDomain = SubjectDomainName, DeviceName = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated >= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain\\n),\\n(\\nEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountName = tostring(split(User, @'\\\\')[1]), AccountUPNSuffix = tostring(split(User, @'\\\\')[0]), DeviceName = Computer\\n)\\n)\\n| extend Account = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempts to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but if the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s >= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2022-12-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend AppDisplayName = tostring(TargetResource.displayName),\\n AppClientId = tostring(TargetResource.id),\\n props = TargetResource.modifiedProperties\\n )\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| mv-apply ConsentFull = props on \\n (\\n where ConsentFull.displayName =~ \\\"ConsentAction.Permissions\\\"\\n )\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull has_all (\\\"user.read\\\", \\\"offline_access\\\", \\\"mail.readwrite\\\", \\\"mail.send\\\", \\\"files.read.all\\\")\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantInitiatedByAppName = tostring(InitiatedBy.app.displayName)\\n| extend GrantInitiatedByAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend GrantInitiatedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend GrantInitiatedByAadUserId = tostring(InitiatedBy.user.id)\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(GrantInitiatedByUserPrincipalName), GrantInitiatedByUserPrincipalName, GrantInitiatedByAppName)\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend GrantUserAgent = AdditionalDetail.value\\n )\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend props = TargetResource.modifiedProperties,\\n AppClientId = tostring(TargetResource.id)\\n )\\n | mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"AppAddress\\\" and Property.newValue has \\\"AddressType\\\"\\n | extend AppReplyURLs = trim('\\\"',tostring(Property.newValue))\\n )\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\\n | extend GrantAuthentication = tostring(TargetResource.displayName)\\n )\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, Name = tostring(split(GrantInitiatedByUserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedByUserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GrantInitiatedByUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GrantIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimProcessCreate\\n| where ((Process has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((Process has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (\\n SecurityAlert\\n | where ProviderName =~ \\\"MDATP\\\"\\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n | mv-expand todynamic(Entities)\\n | extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n | where isnotempty(DvcId)\\n // Higher risk score are for Defender alerts related to threat actor\\n | extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n | project DvcId, AlertRiskScore) \\n on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend AccountName = tostring(split(ActorUsername, @'\\\\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\\\\')[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ActingProcessFilename\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0a3f4f4f-46ad-4562-acd6-f17730a5aef4\",\"name\":\"0a3f4f4f-46ad-4562-acd6-f17730a5aef4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where CommandLine has_any (\\\"New-Mailbox\\\",\\\"Update-RoleGroupMember\\\") and CommandLine has \\\"HealthMailbox55x2yq\\\"\\n| project TimeGenerated, DeviceName = Computer, AccountName = SubjectUserName, AccountDomain = SubjectDomainName, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n),\\n(DeviceProcessEvents\\n| where ProcessCommandLine has_any (\\\"New-Mailbox\\\",\\\"Update-RoleGroupMember\\\") and ProcessCommandLine has \\\"HealthMailbox55x2yq\\\"\\n| extend timestamp = TimeGenerated, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n)\\n)\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Unusual identity creation using exchange powershell\",\"description\":\" The query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands\\n Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Microsoft Entra ID Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2023-11-02T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/757e6a79-6d23-4ae6-9845-4dac170656b5\",\"name\":\"757e6a79-6d23-4ae6-9845-4dac170656b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants\\nlet ExpectedTenantIDs = dynamic([\\\"List of expected tenant IDs\\\",\\\"Tenant ID 2\\\"]);\\nAuditLogs\\n| where OperationName has \\\"Add a partner to cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"tenantId\\\"\\n | extend ExtTenantIDAdded = trim('\\\"',tostring(Property.newValue))\\n )\\n| where ExtTenantIDAdded !in (ExpectedTenantIDs)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Added\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Microsoft Entra ID Cross-tenant Access Settings.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated >= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| where TimeGenerated >= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @\\\"\\\\\\\")[1]), AccountNTDomain = tostring(split(Account, @\\\"\\\\\\\")[0])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today compared with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| where TargetUserType != \\\"NonInteractive\\\"\\n| summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount = countif(EventResult=='Failure'),\\n SuccessCount = countif(EventResult=='Success')\\n by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\\n| extend\\n IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy = strcat_array(ReportedBy, \\\", \\\")\\n| extend\\n Name = iif(\\n TargetUsername contains \\\"@\\\"\\n , tostring(split(TargetUsername, '@', 0)[0])\\n , TargetUsername\\n ),\\n UPNSuffix = iif(\\n TargetUsername contains \\\"@\\\"\\n , tostring(split(TargetUsername, '@', 1)[0])\\n , \\\"\\\"\\n )\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window.\\nNote that the query does not enforce any sequence, and does not require the successful authentication to occur last.\\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds\\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\\n | where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| extend ResultType = column_ifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by CallerIPAddress;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\\n| project CallerIPAddress, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join kind = innerunique (\\nAzureDiagnostics\\n| where TimeGenerated > ago(2d)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = column_ifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = column_ifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\"),identity_claim_oid_g = column_ifexists(\\\"identity_claim_oid_g\\\", \\\"\\\"),\\n identity_claim_upn_s = column_ifexists(\\\"identity_claim_upn_s\\\", \\\"\\\")\\n| extend\\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\\n| extend id_s = column_ifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = column_ifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g, requestUri_s, clientInfo_s\\n) on CallerIPAddress\\n| extend\\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName,1000), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(CallerObjectId, 100), AccountMax = arg_max(CallerObjectId,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountMax\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Identifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm to find large deviations from baseline Azure Key Vault access patterns.\\nAny sudden increase in the count of Azure Key Vault accesses can be an indication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"name\":\"009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has \\\"Consent to application\\\"\\n | where Result =~ \\\"failure\\\"\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend userAgent = iif(AdditionalDetails[0].key == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\\n | where isnotempty(TargetResources)\\n | extend TargetAppName = tostring(TargetResources[0].displayName)\\n | extend TargetAppId = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", '')\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"MethodExecutionResult.\\\"\\n | extend TargetPropertyDisplayName = tostring(TargetResources_0_modifiedProperties.displayName)\\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where FailureReason contains \\\"Risky\\\"\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, Result, TargetAppName, TargetAppId, FailureReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, userAgent\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"TargetAppId\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAppName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"End-user consent stopped due to risk-based consent\",\"description\":\"Detects a user's consent to an OAuth application being blocked due to it being too risky.\\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult =='Failure'\\n| where EventResultDetails == 'User disabled'\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult=='Success'\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount < 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcDvcIpAddr\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2023-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"AV detections related to SpringShell Vulnerability\",\"description\":\"This query looks for Microsoft Defender AV detections related to the SpringShell vulnerability. In Microsoft Sentinel, the SecurityAlerts table includes only the Device Name of the affected device.\\n This query joins the DeviceInfo table to clearly connect other information such as device group, IP, logged-on users, etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"let mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory\",\"description\":\"This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, IP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = 'Dev-0322 IOC match'\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = 'Dev-0322 IOC match'\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = 'Dev-0322 IOC match'\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = 'Dev-0322 IOC match'\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\\\\\', -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = 'Dev-0322 IOC match', Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = 'Dev-0322 IOC match', UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = 'Dev-0322 IOC match'\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = DestinationHost\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = DestinationHost, AlertDetail = 'Dev-0322 IOC match'\\n),\\n(\\nAZFWApplicationRule\\n| where Fqdn has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n),\\n(\\nAZFWNetworkRule\\n| where DestinationIp has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * 'SHA256=' SHA256 '\\\",' *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = 'Dev-0322 IOC match'\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\\\\\', -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = 'Dev-0322 IOC match'\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = 'Dev-0322 IOC match'\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = 'Dev-0322 IOC match'\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"[Deprecated] - DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe',\\n 'Microsoft.Identity.Health.Adfs.InsightsService.exe',\\n 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe',\\n 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe',\\n 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe',\\n 'Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe',\\n 'Microsoft.Identity.AadConnect.Health.AadSync.Host.exe',\\n 'Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe',\\n 'miiserver.exe'\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == '4656'\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == 'Key'\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, '\\\\\\\\', -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID == '4656' and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == 'Key'\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, '\\\\\\\\')[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == '4663'\\n| where ObjectType == 'Key'\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, '\\\\\\\\', -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n (\\nWindowsEvent\\n| where EventID == '4663' and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == 'Key'\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, '\\\\\\\\')[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != 'Machine'\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend Name = tostring(split(Account, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[0])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Microsoft Entra ID Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Microsoft Entra ID Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * '(' DNSName ')' *\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames))\\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames))\\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = DestinationIP\\n),\\n(DnsEvents\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ 'OATP'\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn,\\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames) \\n| extend timestamp = TimeGenerated),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"[Deprecated] - Known Mint Sandstorm group domains/IP - October 2020\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors > 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 '403' Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has '583da945-62af-10e8-4902-a8f205c72b2e'\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = User\\n| extend AccountName = tostring(split(User, @\\\"\\\\\\\")[1]), AccountNTDomain = tostring(split(User, @\\\"\\\\\\\")[0])\\n),\\n(\\nSecurityEvent\\n| where EventID == '5145'\\n// %%4418 looks for presence of CreatePipeInstance value\\n| where AccessList has '%%4418'\\n| where RelativeTargetName has '583da945-62af-10e8-4902-a8f205c72b2e'\\n| extend AccountName = SubjectUserName, AccountNTDomain = SubjectDomainName\\n),\\n(\\nWindowsEvent\\n| where EventID == '5145' and EventData has '%%4418' and EventData has '583da945-62af-10e8-4902-a8f205c72b2e'\\n// %%4418 looks for presence of CreatePipeInstance value\\n| extend AccessList= tostring(EventData.AccessList)\\n| where AccessList has '%%4418'\\n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where RelativeTargetName has '583da945-62af-10e8-4902-a8f205c72b2e'\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountName = tostring(EventData.SubjectUserName), AccountNTDomain = tostring(EventData.SubjectDomainName)\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic(['ps1', 'exe', 'vbs', 'js', 'scr']);\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'inbound'\\n| where FilterDisposition !in ('reject', 'discard')\\n| extend attachedExt = todynamic(MsgParts)[0]['detectedExt']\\n| where tolower(attachedExt) in (disallowed_ext)\\n| project SrcUserUpn, AccountCustomEntity = parse_json(DstUserUpn)[0], attachedExt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let regexEmpire = tostring(toscalar(externaldata(cmdlets:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/EmpireCommandString.txt\\\"] with (format=\\\"txt\\\")));\\n(union isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(ParentProcessName has_any ('gc_worker.exe', 'gc_service.exe'))\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate('\\\\0','', base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| project timestamp = TimeGenerated, Computer, SubjectUserName, SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')\\n),\\n(WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(EventData has_any ('gc_worker.exe', 'gc_service.exe'))\\n//consider filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend Process=tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n//FileName = Process\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where not(ParentProcessName has_any ('gc_worker.exe', 'gc_service.exe'))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate('\\\\0','', base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| project timestamp = TimeGenerated, Computer, SubjectUserName, SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Powershell Empire Cmdlets Executed in Command Line\",\"description\":\"This query identifies use of PowerShell Empire's cmdlets within the command line data of the PowerShell process, indicating potential use of the post-exploitation tool.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, '\\\\\\\\')[-1])\\n| where FileName in~ (procList)\\n| project TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend AccountName = tostring(split(User, @'\\\\')[1]), AccountNTDomain = tostring(split(User, @'\\\\')[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * '(' DNSName ')' * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallNetworkRule\\\"\\n | where msg_s has_any (domains)\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n | parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n | parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n | parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule \\n | extend DNSName = TargetIP \\n | extend IPCustomEntity = SourceIP\\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | where msg_s has_any (domains)\\n | parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n | extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n | extend DNSName = hostname\\n | extend IPCustomEntity = SourceIP\\n | project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n | order by TimeGenerated\\n ),\\n(AZFWApplicationRule\\n | where Fqdn has_any (domains)\\n | extend DNSName = Fqdn\\n | extend IPCustomEntity = SourceIp\\n ),\\n(AZFWDnsQuery\\n | where isnotempty(QueryName)\\n | where QueryName has_any (domains)\\n | extend DNSName = QueryName\\n | extend IPCustomEntity = SourceIp\\n )\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Solorigate Network Beacon\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n InitiatingProcessAccountUPNSuffix = tostring(split(InitiatingProcessAccountUpn, \\\"@\\\")[1]),\\n Algorithm = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"InitiatingProcessAccountDomain\"},{\"identifier\":\"Sid\",\"columnName\":\"InitiatingProcessAccountSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"Algorithm\"},{\"identifier\":\"Value\",\"columnName\":\"MD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"// Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse EventData with * 'ServiceName\\\">' ServiceName \\\"<\\\" * 'ImagePath\\\">' ImagePath \\\"<\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with * 'AccountName\\\">' AccountName \\\"<\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\\n| extend HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - Service Installation\",\"description\":\"This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal == ''\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n '(hydra)',\\n ' arachni/',\\n ' BFAC ',\\n ' brutus ',\\n ' cgichk ',\\n 'core-project/1.0',\\n ' crimscanner/',\\n 'datacha0s',\\n 'dirbuster',\\n 'domino hunter',\\n 'dotdotpwn',\\n 'FHScan Core',\\n 'floodgate',\\n 'get-minimal',\\n 'gootkit auto-rooter scanner',\\n 'grendel-scan',\\n ' inspath ',\\n 'internet ninja',\\n 'jaascois',\\n ' zmeu ',\\n 'masscan',\\n ' metis ',\\n 'morfeus fucking scanner',\\n 'n-stealth',\\n 'nsauditor',\\n 'pmafind',\\n 'security scan',\\n 'springenwerk',\\n 'teh forest lobster',\\n 'toata dragostea',\\n ' vega/',\\n 'voideye',\\n 'webshag',\\n 'webvulnscan',\\n ' whcc/',\\n ' Havij',\\n 'absinthe',\\n 'bsqlbf',\\n 'mysqloit',\\n 'pangolin',\\n 'sql power injector',\\n 'sqlmap',\\n 'sqlninja',\\n 'uil2pn',\\n 'ruler',\\n 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents\\n// ResultCode 3 => 'NXDOMAIN'\\n| where ResultCode == 3\\n| where QueryType in~ (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !has \\\"/\\\"\\n| where Name has \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated > ago(endtime)\\n// sld = Second Level Domain\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld), sampleNXDomainList=make_set(Name, 100) by ClientIP\\n| where dcount_sld > threshold\\n// Filter out previously seen IPs\\n// Returns all the records from the left side that don't have matches from the right\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP, bin(TimeGenerated,1d)\\n | where dcount_sld > threshold\\n ) on ClientIP\\n | order by dcount_sld desc\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live).\\nAlerts are generated when a new IP address is seen (based on not being associated with NXDomain records in the prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/492fbe35-cbac-4a8c-9059-826782e6915a\",\"name\":\"492fbe35-cbac-4a8c-9059-826782e6915a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend TargetAppName = tostring(TargetResources[0].displayName)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | mv-expand mod_props\\n | extend Action = tostring(mod_props.displayName)\\n | where Action contains \\\"Url\\\"\\n | extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | extend OldURL = tostring(mod_props.oldValue)\\n | extend NewURL = tostring(mod_props.newValue)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURL\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURL\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Logout URL\",\"description\":\"Detects changes to an applications sign out URL.\\n Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/122fbc6a-57ab-4aa7-b9a9-51ac4970cac1\",\"name\":\"122fbc6a-57ab-4aa7-b9a9-51ac4970cac1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Define variable 'AwsAlert' to collect AWS GuardDuty CredentialAccess alerts related to Amazon Relational Database Service (RDS) activity\\nlet AwsAlert = materialize (\\n AWSGuardDuty\\n | where ActivityType has_any (\\n \\\"CredentialAccess:RDS/TorIPCaller.SuccessfulLogin\\\",\\n \\\"CredentialAccess:RDS/TorIPCaller.FailedLogin\\\",\\n \\\"CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce\\\",\\n \\\"CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin\\\",\\n \\\"CredentialAccess:RDS/MaliciousIPCaller.SuccessfulLogin\\\",\\n \\\"CredentialAccess:RDS/MaliciousIPCaller.FailedLogin\\\"\\n )\\n | extend\\n AWSAlertId = Id, \\n AWSAlertTitle = Title,\\n AWSAlertDescription = Description,\\n AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),\\n AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4),\\n RDSInstanceId = tostring(parse_json(ResourceDetails).rdsDbInstanceDetails.dbInstanceIdentifier),\\n RDSUser = tostring(parse_json(ResourceDetails).rdsDbUserDetails.user),\\n RDSApplication = tostring(parse_json(ResourceDetails).rdsDbUserDetails.application),\\n RDSactionType = tostring(parse_json(ServiceDetails).action.actionType),\\n AWSAlertTime = TimeCreated,\\n AWSAlertLink= tostring(strcat('https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=',Id)),\\n Severity = \\n case (\\n Severity >= 7.0, \\\"High\\\",\\n Severity between (4.0 .. 6.9), \\\"Medium\\\",\\n Severity between (1.0 .. 3.9), \\\"Low\\\",\\n \\\"Unknown\\\")\\n | distinct\\n AWSAlertTime,\\n ActivityType,\\n AWSAlertId,\\n AWSAlertLink,\\n AWSAlertTitle,\\n AWSAlertDescription,\\n AWSresourceType,\\n Arn,\\n Severity,\\n RDSactionType,\\n RDSApplication,\\n RDSInstanceId,\\n RDSUser,\\n AWSNetworkEntity\\n );\\n // Define variable 'Azure_sigin' to collect Azure portal sign-in activities\\n let Azure_sigin = materialize (\\n SigninLogs\\n | where AppDisplayName == \\\"Azure Portal\\\"\\n | where isnotempty(OriginalRequestId)\\n | summarize \\n AzureSuccessfulEvent = countif(ResultType == 0), \\n AzureFailedEvent = countif(ResultType != 0), \\n totalAzureLoginEventId = dcount(OriginalRequestId), \\n AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0), \\n AzureSuccessfuleventsCount = dcountif(OriginalRequestId, ResultType == 0),\\n AzureSetOfFailedevents = makeset(iff(ResultType != 0, OriginalRequestId, \\\"\\\"), 5), \\n AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, \\\"\\\"), 5) \\n by \\n IPAddress, \\n UserPrincipalName, \\n bin(TimeGenerated, 1min), \\n UserAgent,\\n ConditionalAccessStatus,\\n OperationName,\\n RiskDetail,\\n AuthenticationRequirement,\\n ClientAppUsed\\n // Extracting the name and UPN suffix from UserPrincipalName\\n | extend\\n Name = tostring(split(UserPrincipalName, '@')[0]),\\n UPNSuffix = tostring(split(UserPrincipalName, '@')[1])\\n );\\n // Join 'AwsAlert' and 'Azure_sigin' on the AWS Network Entity and Azure IP Address\\n AwsAlert\\n | join kind=inner Azure_sigin on $left.AWSNetworkEntity == $right.IPAddress\",\"customDetails\":{\"AWSAlertUserName\":\"RDSUser\",\"AWSArn\":\"Arn\",\"AWSresourceType\":\"AWSresourceType\",\"AWSInstanceType\":\"RDSactionType\",\"AWSAplicationName\":\"RDSApplication\",\"AWSInstanceId\":\"RDSInstanceId\",\"AzureUserAgent\":\"UserAgent\",\"AzureUser\":\"UserPrincipalName\",\"AzureClientAppUsed\":\"ClientAppUsed\",\"AzConditionalAccess\":\"ConditionalAccessStatus\",\"AzureOperationName\":\"OperationName\",\"AzureRiskDetail\":\"RiskDetail\",\"AzAuthRequirement\":\"AuthenticationRequirement\",\"alertSeverity\":\"Severity\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"IP address {{IPAddress}} in {{AWSAlertTitle}} seen in Azure Signin Logs with {{UserPrincipalName}}\",\"alertDescriptionFormat\":\"This detection correlates AWS GuardDuty Credential Access alert described '{{AWSAlertDescription}}' related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring. \\n\\n AWS ALert Link : '{{AWSAlertLink}}' \\n\\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"Severity\"},\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login\",\"description\":\"\\nThis detection correlates AWS GuardDuty Credential Access alerts related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring.\\n\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\n// Configure the list with sensitive process names \\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll32.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in~ (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total > TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, NTDomain = split(Account, '\\\\\\\\', 0)[0], Name = split(Account, '\\\\\\\\', 1)[0], HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Process Execution Frequency Anomaly\",\"description\":\"This detection identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL's built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has ('127.0.0.1\\\\\\\\ADMIN$') and InitiatingProcessCommandLine has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\"), AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (@'127.0.0.1\\\\\\\\ADMIN$') and CommandLine has_any (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID, AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has ('127.0.0.1\\\\\\\\ADMIN$') and ActingProcessCommandLine has_any (Command_Line))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash, AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where (Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes)) or ( CommandLine has ('127.0.0.1\\\\\\\\ADMIN$') and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\\\\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1]), AlgorithmCustomEntity = \\\"SHA256\\\"\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Cadet Blizzard Actor IOC - January 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ab1f7b2-61b8-442f-bc81-96afe7ad8c53\",\"name\":\"6ab1f7b2-61b8-442f-bc81-96afe7ad8c53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"// OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each\\nlet GroupIDs = dynamic([\\\"List with Custom AAD GROUP OBJECT ID 1\\\",\\\"Custom AAD GROUP OBJECT ID 2\\\"]);\\nAuditLogs\\n| where OperationName in ('Add member to group', 'Add owner to group')\\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"CUSTOM DOMAIN NAME#\\\", \\\"#EXT#\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend InvitedUser = trim(@'\\\"',tostring(TargetResource.userPrincipalName)),\\n Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on \\n (\\n where Property.displayName =~ \\\"Group.DisplayName\\\"\\n | extend AADGroup = trim('\\\"',tostring(Property.newValue))\\n )\\n| where InvitedUser has_any (\\\"CUSTOM DOMAIN NAME#\\\", \\\"#EXT#\\\")\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"Group.ObjectID\\\"\\n | extend AADGroupId = trim('\\\"',tostring(Property.newValue))\\n )\\n| where AADGroupId !in (GroupIDs)\\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatedByIPAdress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Guest accounts added in AAD Groups other than the ones specified\",\"description\":\"Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Azure AD Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.\",\"lastUpdatedDateUTC\":\"2023-10-27T00:00:00Z\",\"createdDateUTC\":\"2022-10-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" and SyslogMessage has \\\" uid=0\\\"\\n| extend RemoteIP = extract(@\\\".*?rhost=([\\\\d.]+).*?\\\", 1,SyslogMessage)\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\n Syslog \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\\n| where TotalLogonAttempts >= threshold\\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, Computer, HostIP\\n| sort by Computer asc nulls last\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"HostIP\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in isn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.4\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now();\\n// Perform a join between IP indicators and AzureDiagnostics logs for Key Vault events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated >= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n )\\n on $left.TI_ipEntity == $right.ClientIP\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where KeyVaultEvents_TimeGenerated < ExpirationDateTime\\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\\n | summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n // Select the desired output fields\\n | project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d,\\n identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, Type\\n // Rename the timestamp field\\n | extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"High\",\"query\":\"// Define the start and end times based on input values\\nlet starttime = now()-1h;\\nlet endtime = now();\\n// Set a lookback period of 14 days\\nlet lookback = starttime - 14d;\\n// Define a reusable function to query audit logs\\nlet awsFunc = (start:datetime, end:datetime) {\\n AuditLogs\\n | where TimeGenerated between (start..end)\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n | mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type in~ (\\\"User\\\", \\\"ServicePrincipal\\\")\\n | extend Target = iff(TargetResource.type =~ \\\"ServicePrincipal\\\", tostring(TargetResource.displayName), tostring(TargetResource.userPrincipalName)),\\n props = TargetResource.modifiedProperties\\n )\\n | mv-apply Property = props on\\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim('\\\"', tostring(Property.newValue))\\n )\\n | where RoleName contains \\\"Admin\\\" and Result == \\\"success\\\"\\n};\\n// Query for audit events in the current day\\nlet EventInfo_CurrentDay = awsFunc(starttime, endtime);\\n// Query for audit events in the historical period (lookback)\\nlet EventInfo_historical = awsFunc(lookback, starttime);\\n// Find unseen events by performing a left anti-join\\nlet EventInfo_Unseen = (EventInfo_CurrentDay\\n | join kind=leftanti(EventInfo_historical) on Target, RoleName, OperationName\\n);\\n// Extend and clean up the results\\nEventInfo_Unseen\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n// You can uncomment the lines below to filter out PIM activations\\n// | where Initiator != \\\"MS-PIM\\\"\\n// | summarize StartTime=min(TimeGenerated), EndTime=min(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result\\n// Project specific columns and split them for further analysis\\n| project TimeGenerated, OperationName, RoleName, Target, Initiator, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, Result\\n| extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]), InitiatorName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), InitiatorUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatorName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatorUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New User Assigned to Privileged Role\",\"description\":\"Identifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.\",\"lastUpdatedDateUTC\":\"2024-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently blogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange which eventually allows the attacker to execute arbitrary Powershell on the server.\\nIn the example powershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for W3CIISLog events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now();\\n// Perform a join between IP indicators and W3CIISLog events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n W3CIISLog\\n | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n | where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.cIP\\n // Filter out W3CIISLog events that occurred after the expiration of the corresponding indicator\\n | where W3CIISLog_TimeGenerated < ExpirationDateTime\\n // Group the results by IndicatorId and keep the W3CIISLog event with the latest timestamp\\n | summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\\n // Select the desired output fields\\n | project timestamp = W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"csUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to W3CIISLog\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in W3CIISLog.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * 'Image\\\">' Image \\\"<\\\" * 'OriginalFileName\\\">' OriginalFileName \\\"<\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any (procList))\\n| parse EventData with * 'ProcessGuid\\\">' ProcessGuid \\\"<\\\" * 'Description\\\">' Description \\\"<\\\" * 'CommandLine\\\">' CommandLine \\\"<\\\" * 'CurrentDirectory\\\">' CurrentDirectory \\\"<\\\" * 'User\\\">' User \\\"<\\\" * 'LogonGuid\\\">' LogonGuid \\\"<\\\" * 'Hashes\\\">' Hashes \\\"<\\\" * 'ParentProcessGuid\\\">' ParentProcessGuid \\\"<\\\" * 'ParentImage\\\">' ParentImage \\\"<\\\" * 'ParentCommandLine\\\">' ParentCommandLine \\\"<\\\" * 'ParentUser\\\">' ParentUser \\\"<\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\\n| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"User\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Lolbins Renamed\",\"description\":\"This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated >= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated >= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == 'Azure Sentinel', true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated < ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend Name = tostring(split(EntityEmail, '@', 0)[0]), UPNSuffix = tostring(split(EntityEmail, '@', 1)[0])\\n| extend timestamp = Alert_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"EntityEmail\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress,100) by ResultType\\n| where DistinctAccounts > account_threshold\\n| mv-expand IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName,100),\\n UserAgent = make_set(UserAgent,100),\\n ResultDescription = take_any(ResultDescription),\\n ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\\n| extend Name = tostring(split(UserPrincipalName[0],'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName[0],'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Microsoft Entra ID Seamless SSO\",\"description\":\"This query detects when there is a spike in Microsoft Entra ID Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\\nMicrosoft Entra ID only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2024-01-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1d;\\nlet TimeSeriesData =\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(now()))\\n| where OperationNameValue in~ (szOperationNames)\\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Caller; \\nTimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where TimeGenerated >= startofday(ago(endtime))\\n| where anomalies > 0 and baseline > 0\\n| project Caller, TimeGenerated, Total, baseline, anomalies, score\\n| join (AzureActivity\\n| where TimeGenerated > startofday(ago(endtime)) \\n| where OperationNameValue in~ (szOperationNames)\\n| summarize make_set(OperationNameValue,100), make_set(_ResourceId,100), make_set(CallerIpAddress,100) by bin(TimeGenerated, timeframe), Caller\\n) on TimeGenerated, Caller\\n| mv-expand CallerIpAddress=set_CallerIpAddress\\n| project-away Caller1\\n| extend Name = iif(Caller has '@',tostring(split(Caller,'@',0)[0]),\\\"\\\")\\n| extend UPNSuffix = iif(Caller has '@',tostring(split(Caller,'@',1)[0]),\\\"\\\")\\n| extend AadUserId = iif(Caller !has '@',Caller,\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log. This query generates the baseline pattern of cloud resource creation by an individual and generates an anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of a cloud infrastructure takedown by an adversary.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let runningRAT_parameters = dynamic(['/ui/chk', 'mactok=', 'UsRnMe=', 'IlocalP=', 'kMnD=']);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"RunningRAT request parameters\",\"description\":\"This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request.\\nId the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername\\n| extend AccountName = tostring(split(SrcUsername, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SrcUsername, \\\"@\\\")[1])\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\",\"Execution\"],\"displayName\":\"A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong PowerShell.
You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix 'solarwinds.businesslayerhost.exe'\\n| where not(Process has_any (excludeProcs))\\n| extend AccountName = tostring(split(ActorUsername, @'\\\\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\\\\')[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmType\"},{\"identifier\":\"Value\",\"columnName\":\"TargetFileMD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48602a24-67cf-4362-b258-3f4249e55def\",\"name\":\"48602a24-67cf-4362-b258-3f4249e55def\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let query_frequency = 1h;\\nlet query_period = 14d;\\nIdentityInfo\\n| where TimeGenerated > ago(query_period)\\n| where set_has_element(AssignedRoles, \\\"Global Administrator\\\")\\n| distinct AccountUPN, AccountObjectId\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated > ago(query_frequency)\\n | where OperationName=~ \\\"Update user\\\" and Result =~ \\\"success\\\"\\n // | where isnotempty(InitiatedBy[\\\"user\\\"])\\n | mv-expand TargetResource = TargetResources\\n | where TargetResource[\\\"type\\\"] == \\\"User\\\"\\n | extend AccountObjectId = tostring(TargetResource[\\\"id\\\"])\\n | where tostring(TargetResource[\\\"modifiedProperties\\\"]) != \\\"[]\\\"\\n | mv-apply modifiedProperty = TargetResource[\\\"modifiedProperties\\\"] on (\\n summarize modifiedProperties = make_bag(\\n bag_pack(tostring(modifiedProperty[\\\"displayName\\\"]),\\n bag_pack(\\\"oldValue\\\", trim(@'[\\\\\\\"\\\\s]+', tostring(modifiedProperty[\\\"oldValue\\\"])),\\n \\\"newValue\\\", trim(@'[\\\\\\\"\\\\s]+', tostring(modifiedProperty[\\\"newValue\\\"])))))\\n )\\n | where not(tostring(modifiedProperties[\\\"Included Updated Properties\\\"][\\\"newValue\\\"]) in (\\\"LastDirSyncTime\\\", \\\"\\\"))\\n | where not(tostring(modifiedProperties[\\\"Included Updated Properties\\\"][\\\"newValue\\\"]) == \\\"StrongAuthenticationPhoneAppDetail\\\" and isnotempty(modifiedProperties[\\\"StrongAuthenticationPhoneAppDetail\\\"]) and tostring(array_sort_asc(extract_all(@'\\\\\\\"Id\\\\\\\"\\\\:\\\\\\\"([^\\\\\\\"]+)\\\\\\\"', tostring(modifiedProperties[\\\"StrongAuthenticationPhoneAppDetail\\\"][\\\"newValue\\\"])))) == tostring(array_sort_asc(extract_all(@'\\\\\\\"Id\\\\\\\"\\\\:\\\\\\\"([^\\\\\\\"]+)\\\\\\\"', tostring(modifiedProperties[\\\"StrongAuthenticationPhoneAppDetail\\\"][\\\"oldValue\\\"])))))\\n | extend\\n Initiator = iif(isnotempty(InitiatedBy[\\\"app\\\"]), tostring(InitiatedBy[\\\"app\\\"][\\\"displayName\\\"]), tostring(InitiatedBy[\\\"user\\\"][\\\"userPrincipalName\\\"])),\\n InitiatorId = iif(isnotempty(InitiatedBy[\\\"app\\\"]), tostring(InitiatedBy[\\\"app\\\"][\\\"servicePrincipalId\\\"]), tostring(InitiatedBy[\\\"user\\\"][\\\"id\\\"])),\\n IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])][\\\"ipAddress\\\"])\\n) on AccountObjectId\\n| project TimeGenerated, Category, Identity, Initiator, IPAddress, OperationName, Result, AccountUPN, InitiatedBy, AdditionalDetails, TargetResources, AccountObjectId, InitiatorId, CorrelationId\\n| extend\\n InitiatorName = tostring(split(Initiator, \\\"@\\\")[0]),\\n InitiatorUPNSuffix = tostring(split(Initiator, \\\"@\\\")[1]),\\n AccountName = tostring(split(AccountUPN, \\\"@\\\")[0]),\\n AccountUPNSuffix = tostring(split(AccountUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatorName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatorUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Suspicious modification of Global Administrator user properties\",\"description\":\"This query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties.\\nInvestigate if such user change is an attempt to elevate an existing low privileged identity or rogue administrator activity\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"imProcess\\n| where EventType =~ \\\"ProcessCreated\\\"\\n| where Process endswith \\\"svchost.exe\\\"\\n| where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n| extend timekey = bin(TimeGenerated, 1m)\\n| project timekey, ActingProcessId, Dvc\\n| join kind=inner (\\n imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) \\n on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\\n| extend AccountName = tostring(split(ActorUsername, @'\\\\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\\\\')[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated > ago(timeframe+spanoftime)\\n // A user account was enabled\\n | where EventID == 4722\\n | where AccountType =~ \\\"User\\\"\\n | where TargetAccount !endswith \\\"$\\\"\\n | project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToEnable = SubjectAccount, EnabledBySubjectUserName = SubjectUserName, EnabledBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToEnable = SubjectUserSid, UserPrincipalName\\n ),\\n (\\n WindowsEvent\\n | where TimeGenerated > ago(timeframe+spanoftime)\\n // A user account was enabled\\n | where EventID == 4722\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType =~ \\\"User\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | where TargetAccount !endswith \\\"$\\\"\\n | extend Activity=\\\"4722 - A user account was enabled.\\\"\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n | project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToEnable = SubjectAccount, EnabledBySubjectUserName = SubjectUserName, EnabledBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToEnable = SubjectUserSid, UserPrincipalName\\n )\\n )\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated > ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n | where AccountType =~ \\\"User\\\"\\n | project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToDisable = SubjectAccount, DisabledBySubjectUserName = SubjectUserName, DisabledBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToDisable = SubjectUserSid, UserPrincipalName\\n ),\\n (WindowsEvent\\n | where TimeGenerated > ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType =~ \\\"User\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n | extend Activity = \\\"4725 - A user account was disabled.\\\"\\n | project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer = toupper(Computer), \\n TargetAccount = tolower(TargetAccount), TargetUserName, TargetDomainName, TargetSid, \\n AccountUsedToDisable = SubjectAccount, DisabledBySubjectUserName = SubjectUserName, DisabledBySubjectDomainName = SubjectDomainName, SIDofAccountUsedToDisable = SubjectUserSid, UserPrincipalName\\n )\\n )\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime < spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) >= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, TargetUserName, TargetDomainName, UserPrincipalName, \\nAccountUsedToEnable, SIDofAccountUsedToEnable, DisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable, \\nEnabledBySubjectUserName, EnabledBySubjectDomainName, DisabledBySubjectUserName, DisabledBySubjectDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToEnable\"},{\"identifier\":\"Name\",\"columnName\":\"EnabledBySubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"EnabledBySubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToDisable\"},{\"identifier\":\"Name\",\"columnName\":\"DisabledBySubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"DisabledBySubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/779731f7-8ba0-4198-8524-5701b7defddc\",\"name\":\"779731f7-8ba0-4198-8524-5701b7defddc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let Alert_List= dynamic([\\n\\\"Phishing link click observed in Network Traffic\\\",\\n\\\"Phish delivered due to an IP allow policy\\\",\\n\\\"A potentially malicious URL click was detected\\\",\\n\\\"High Risk Sign-in Observed in Network Traffic\\\",\\n\\\"A user clicked through to a potentially malicious URL\\\",\\n\\\"Suspicious network connection to AitM phishing site\\\",\\n\\\"Messages containing malicious entity not removed after delivery\\\",\\n\\\"Email messages containing malicious URL removed after delivery\\\",\\n\\\"Email reported by user as malware or phish\\\",\\n\\\"Phish delivered due to an ETR override\\\",\\n\\\"Phish not zapped because ZAP is disabled\\\"]);\\nSecurityAlert\\n| where AlertName in~ (Alert_List)\\n//Findling Alerts which has the URL\\n| where Entities has \\\"url\\\"\\n//extracting Entities\\n| extend Entities = parse_json(Entities)\\n| mv-apply Entity = Entities on\\n (\\n where Entity.Type == 'url'\\n | extend EntityUrl = tostring(Entity.Url)\\n )\\n| summarize\\n Url=tostring(tolower(take_any(EntityUrl))),\\n AlertTime= min(TimeGenerated),\\n make_set(SystemAlertId, 100)\\n by ProductName, AlertName\\n// matching with 3rd party network logs and 3p Alerts\\n| join kind= inner (CommonSecurityLog\\n | where DeviceVendor has_any (\\\"Palo Alto Networks\\\", \\\"Fortinet\\\", \\\"Check Point\\\", \\\"Zscaler\\\")\\n | where DeviceProduct startswith \\\"FortiGate\\\" or DeviceProduct startswith \\\"PAN\\\" or DeviceProduct startswith \\\"VPN\\\" or DeviceProduct startswith \\\"FireWall\\\" or DeviceProduct startswith \\\"NSSWeblog\\\" or DeviceProduct startswith \\\"URL\\\"\\n | where DeviceAction != \\\"Block\\\"\\n | where isnotempty(RequestURL)\\n | project\\n 3plogTime=TimeGenerated,\\n DeviceVendor,\\n DeviceProduct,\\n Activity,\\n DestinationHostName,\\n DestinationIP,\\n RequestURL=tostring(tolower(RequestURL)),\\n MaliciousIP,\\n SourceUserName=tostring(tolower(SourceUserName)),\\n IndicatorThreatType,\\n ThreatSeverity,\\n ThreatConfidence,\\n SourceUserID,\\n SourceHostName)\\n on $left.Url == $right.RequestURL\\n// matching successful Login from suspicious IP\\n| join kind=inner (SigninLogs\\n //filtering the Successful Login\\n | where ResultType == 0\\n | project\\n IPAddress,\\n SourceSystem,\\n SigniningTime= TimeGenerated,\\n OperationName,\\n ResultType,\\n ResultDescription,\\n AlternateSignInName,\\n AppDisplayName,\\n AuthenticationRequirement,\\n ClientAppUsed,\\n RiskState,\\n RiskLevelDuringSignIn,\\n UserPrincipalName=tostring(tolower(UserPrincipalName)),\\n Name = tostring(split(UserPrincipalName, \\\"@\\\")[0]),\\n UPNSuffix =tostring(split(UserPrincipalName, \\\"@\\\")[1]))\\n on $left.DestinationIP == $right.IPAddress and $left.SourceUserName == $right.UserPrincipalName\\n| where SigniningTime between ((AlertTime - 6h) .. (AlertTime + 6h)) and 3plogTime between ((AlertTime - 6h) .. (AlertTime + 6h))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DestinationHostName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceSystem\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity\",\"description\":\"This content is employed to correlate with Microsoft Defender XDR phishing-related alerts. It focuses on instances where a user successfully connects to a phishing URL from a non-Microsoft network device and subsequently makes successful sign-in attempts from the phishing IP address.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-05-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"name\":\"2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where OperationName in (\\\"Add eligible member (permanent)\\\", \\\"Add eligible member (eligible)\\\", \\\"Add member to role\\\")\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend Target = tostring(TargetResource.userPrincipalName),\\n props = TargetResource.modifiedProperties\\n )\\n | mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim('\\\"',tostring(Property.newValue))\\n )\\n | where RoleName contains \\\"admin\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend InitiatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | extend TargetUserPrincipalName = iff(OperationName==\\\"Add member to role\\\",tostring(TargetResources[0].userPrincipalName),tostring(TargetResources[2].userPrincipalName))\\n | extend TargetAadUserId = iff(OperationName==\\\"Add member to role\\\", tostring(TargetResources[0].id), tostring(TargetResources[2].id))\\n | extend AddedUser = TargetUserPrincipalName\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, AddedUser, RoleName, InitiatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User Added to Admin Role\",\"description\":\"Detects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * 'ProcessId\\\">' ProcessId \\\"<\\\"* 'Image\\\">' Image \\\"<\\\" * 'TargetObject\\\">' TargetObject \\\"<\\\" * 'Details\\\">' Details \\\"<\\\" * 'User\\\">' User \\\"<\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ProcessId, Image, TargetObject, Details, _ResourceId\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(User, \\\"\\\\\\\\\\\")[1]), AccountNTDomain = tostring(split(User, \\\"\\\\\\\\\\\")[0])\\n| extend ImageFileName = tostring(split(Image, \\\"\\\\\\\\\\\")[-1])\\n| extend ImageDirectory = replace_string(Image, ImageFileName, \\\"\\\")\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessId\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImageFileName\"},{\"identifier\":\"Directory\",\"columnName\":\"ImageDirectory\"}]},{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DSRM Account Abuse\",\"description\":\"This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization's Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Low\",\"query\":\"REDACTED\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don't Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don't Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2024-01-22T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let Alerts = SecurityAlert\\n| where AlertName =~ \\\"mass download by a single user\\\"\\n| where Status != 'Resolved'\\n| extend ipEnt = parse_json(Entities), accountEnt = parse_json(Entities)\\n| mv-apply tempParams = ipEnt on (\\nmv-expand ipEnt\\n| where ipEnt.Type == \\\"ip\\\" \\n| extend IpAddress = tostring(ipEnt.Address)\\n)\\n| mv-apply tempParams = accountEnt on (\\nmv-expand accountEnt\\n| where accountEnt.Type == \\\"account\\\"\\n| extend AADUserId = tostring(accountEnt.AadUserId)\\n)\\n| extend Alert_TimeGenerated = TimeGenerated\\n| distinct Alert_TimeGenerated, IpAddress, AADUserId, DisplayName, Description, ProductName, ExtendedProperties, Entities, Status, CompromisedEntity\\n;\\nlet CA_Events = CloudAppEvents\\n| where ActionType == \\\"FileDownloaded\\\"\\n| extend parsed = parse_json(RawEventData)\\n| extend UserId = tostring(parsed.UserId)\\n| extend FileName = tostring(parsed.SourceFileName)\\n| extend FileExtension = tostring(parsed.SourceFileExtension)\\n| summarize CloudAppEvent_StartTime = min(TimeGenerated), CloudAppEvent_EndTime = max(TimeGenerated), CloudAppEvent_Files = make_set(FileName), FileCount = dcount(FileName) by Application, AccountObjectId, UserId, IPAddress, City, CountryCode\\n| extend CloudAppEvents_Details = pack_all();\\nlet CA_Alerts_Events = Alerts | join kind=inner (CA_Events)\\non $left.AADUserId == $right.AccountObjectId and $left.IpAddress == $right.IPAddress\\n// Cloud app event comes before Alert\\n| where CloudAppEvent_EndTime <= Alert_TimeGenerated\\n| project Alert_TimeGenerated, UserId, AADUserId, IPAddress, CloudAppEvents_Details, CloudAppEvent_Files\\n;\\n// setup list to filter DeviceFileEvents for only files downloaded as indicated by CloudAppEvents\\nlet CA_FileList = CA_Alerts_Events | project CloudAppEvent_Files;\\nCA_Alerts_Events\\n| join kind=inner ( DeviceFileEvents\\n| where ActionType in (\\\"FileCreated\\\", \\\"FileRenamed\\\")\\n| where FileName in~ (CA_FileList)\\n| summarize DeviceFileEvent_StartTime = min(TimeGenerated), DeviceFileEvent_EndTime = max(TimeGenerated), DeviceFileEvent_Files = make_set(FolderPath), DeviceFileEvent_FileCount = dcount(FolderPath) by InitiatingProcessAccountUpn, DeviceId, DeviceName, InitiatingProcessFolderPath, InitiatingProcessParentFileName//, InitiatingProcessCommandLine\\n| extend DeviceFileEvents_Details = pack_all()\\n) on $left.UserId == $right.InitiatingProcessAccountUpn\\n| where DeviceFileEvent_StartTime >= Alert_TimeGenerated\\n| join kind=inner (\\n// get device events where a USB drive was mounted\\nDeviceEvents\\n| where ActionType == \\\"UsbDriveMounted\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| extend USB_DriveLetter = tostring(AdditionalFields.DriveLetter), USB_ProductName = tostring(AdditionalFields.ProductName), USB_Volume = tostring(AdditionalFields.Volume)\\n| where isnotempty(USB_DriveLetter)\\n| project USB_TimeGenerated = TimeGenerated, DeviceId, USB_DriveLetter, USB_ProductName, USB_Volume\\n| extend USB_Details = pack_all()\\n) \\non DeviceId\\n// USB event occurs after the Alert\\n| where USB_TimeGenerated >= Alert_TimeGenerated\\n| mv-expand DeviceFileEvent_Files\\n| extend DeviceFileEvent_Files = tostring(DeviceFileEvent_Files)\\n// make sure that we only pickup the files that have the USB drive letter\\n| where DeviceFileEvent_Files startswith USB_DriveLetter\\n| summarize USB_Drive_MatchedFiles = make_set_if(DeviceFileEvent_Files, DeviceFileEvent_Files startswith USB_DriveLetter) by Alert_TimeGenerated, USB_TimeGenerated, UserId, AADUserId, DeviceId, DeviceName, IPAddress, CloudAppEvents_Details = tostring(CloudAppEvents_Details), DeviceFileEvents_Details = tostring(DeviceFileEvents_Details), USB_Details = tostring(USB_Details)\\n| extend InitiatingProcessFileName = tostring(split(todynamic(DeviceFileEvents_Details).InitiatingProcessFolderPath, \\\"\\\\\\\\\\\")[-1]), InitiatingProcessFolderPath = tostring(todynamic(DeviceFileEvents_Details).InitiatingProcessFolderPath)\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\\n| extend HostNameDomain = iff(DeviceName != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AADUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessFileName\"},{\"identifier\":\"Directory\",\"columnName\":\"InitiatingProcessFolderPath\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Mass Download & copy to USB device by single user\",\"description\":\"This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. \\nThis query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"CloudAppEvents\",\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1\",\"name\":\"ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688\\n| where Process has_any (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\") and CommandLine has_cs \\\"-exec bypass -w 1 -enc\\\"\\n| where CommandLine contains_cs \\\"UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA\\\"\\n| extend DvcHostname = Computer, ProcessId = tostring(ProcessId), ActorUsername = Account\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" and ProcessCommandLine has_cs \\\"-exec bypass -w 1 -enc\\\"\\n| where ProcessCommandLine contains_cs \\\"UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA\\\"\\n| extend DvcHostname = DeviceName, ProcessId = tostring(InitiatingProcessId), ActorUsername = strcat(AccountDomain, @\\\"\\\\\\\", AccountName)\\n),\\n(imProcessCreate\\n| where Process has_any (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\") and CommandLine has_cs \\\"-exec bypass -w 1 -enc\\\"\\n| where CommandLine contains_cs \\\"UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA\\\"\\n| extend ProcessId = tostring(TargetProcessId)\\n)\\n)\\n| extend AccountName = tostring(split(ActorUsername, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(ActorUsername, \\\"\\\\\\\\\\\")[1])\\n| extend HostName = tostring(split(DvcHostname, \\\".\\\")[0]), DomainIndex = toint(indexof(DvcHostname, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessId\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Identify Mango Sandstorm powershell commands\",\"description\":\"The query below identifies powershell commands used by the threat actor Mango Sandstorm.\\nReference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/\",\"lastUpdatedDateUTC\":\"2024-11-25T00:00:00Z\",\"createdDateUTC\":\"2022-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d;\\nlet join_lookback = 1d;\\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = (\\nZoomLogs\\n| where TimeGenerated >= ago(schedule_lookback)\\n| where Event =~ \\\"meeting.created\\\"\\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId)\\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone));\\nZoomLogs\\n| where TimeGenerated >= ago(join_lookback)\\n| where Event =~ \\\"meeting.participant_joined\\\"\\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone)\\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName)\\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId)\\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId\\n| where SchedTimezone != JoinedTimeZone\\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1\\n| extend AccountName = tostring(split(JoiningUser, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(JoiningUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"JoiningUser\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated >= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient,\\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort,\\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"DestinationUserID\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to PaloAlto CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in ('127.0.0.1', '::1', '')\\n| summarize count() by IPAddress\\n| where count_ > signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, TargetUserName, TargetDomainName, _ResourceId, Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend Account = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, TargetUserSid, TargetUserName, TargetDomainName, _ResourceId, Reason\\n)\\n);\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex+1), Computer)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"AzureID\",\"columnName\":\"_ResourceId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Microsoft Entra ID.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2024-10-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"name\":\"a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName =~ \\\"Update user\\\"\\n | where Result =~ \\\"success\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"TargetId.UserType\\\"\\n | extend UpdatingAppName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UpdatingServicePrincipalId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend UpdatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatingUserAadUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend UpdatingUserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipalId), UpdatingServicePrincipalId, UpdatingUserPrincipalName)\\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \\\"\\\\\\\"Member\\\\\\\"\\\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \\\"\\\\\\\"Guest\\\\\\\"\\\"\\n | extend InitiatingAccountName = tostring(split(UpdatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(UpdatingUserPrincipalName, \\\"@\\\")[1])\\n | extend TargetAccountName = tostring(split(UpdatedUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(UpdatedUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UpdatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UpdatingServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UpdatingUserAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UpdatingUserIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User State changed from Guest to Member\",\"description\":\"Detects when a guest account in a tenant is converted to a member of the tenant.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts converted to members should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"name\":\"dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let threshold = 10;\\nlet default_ad_attributes = dynamic([\\\"LastDirSyncTime\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"Included Updated Properties\\\", \\\"AccountEnabled\\\", \\\"Action Client Name\\\", \\\"SourceAnchor\\\"]);\\nlet addUsers = AuditLogs\\n| where OperationName =~ \\\"Add user\\\"\\n| where Result =~ \\\"success\\\"\\n| extend AccountProperties = TargetResources[0].modifiedProperties\\n| mv-expand AccountProperties\\n;\\naddUsers\\n| evaluate bag_unpack(AccountProperties) : (displayName:string, oldValue: string, newValue: string , TenantId : string, SourceSystem : string, TimeGenerated : datetime, ResourceId : string, OperationName : string, OperationVersion : string, Category : string, ResultType : string, ResultSignature : string, ResultDescription : string, DurationMs : long, CorrelationId : string, Resource : string, ResourceGroup : string, ResourceProvider : string, Identity : string, Level : string, Location : string, AdditionalDetails : dynamic, Id : string, InitiatedBy : dynamic, LoggedByService : string, Result : string, ResultReason : string, TargetResources : dynamic, AADTenantId : string, ActivityDisplayName : string, ActivityDateTime : datetime, AADOperationType : string, Type : string)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"Unknown Value\\\")\\n| summarize count() by displayName, TenantId\\n| where displayName !in (default_ad_attributes)\\n| top threshold by count_ desc\\n| summarize make_set(displayName) by TenantId\\n| join kind=inner (\\naddUsers\\n| extend CreatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend CreatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend CreatingUserIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend PropName = tostring(AccountProperties.displayName)) \\non TenantId\\n| summarize makeset(PropName) by TimeGenerated, CorrelationId, CreatedUserPrincipalName, CreatingUserPrincipalName, CreatingAadUserId, CreatingUserIPAddress, tostring(set_displayName)\\n| extend missing_props = set_difference(todynamic(set_displayName), set_PropName)\\n| where array_length(missing_props) > 0\\n| join kind=innerunique (\\nAuditLogs\\n| where Result =~ \\\"success\\\"\\n| where OperationName =~ \\\"Add user\\\"\\n| extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)) \\non CorrelationId, CreatedUserPrincipalName\\n| extend ExpectedProperties = set_displayName\\n| project-away set_displayName, set_PropName\\n| extend InitiatingAccountName = tostring(split(CreatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(CreatingUserPrincipalName, \\\"@\\\")[1])\\n| extend TargetAccountName = tostring(split(CreatedUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(CreatedUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"CreatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CreatingUserIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User account created without expected attributes defined\",\"description\":\"This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"// Microsoft Entra ID Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Microsoft Entra ID Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic(['cf6d7e68-f018-4e0a-a7b3-126e053fb88d','cb1056e2-e479-49de-ae31-7812af012ed8']);\\nlet operationNamesList = dynamic(['Microsoft.ADHybridHealthService/services/servicemembers/action','Microsoft.ADHybridHealthService/services/delete']);\\nAzureActivity\\n| where CategoryValue =~ 'Administrative'\\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\\n| where _ResourceId has 'AdFederationService'\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])\\n| where AppId !in (appList)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Microsoft Entra ID Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify a suspicious application adding a server instance to an Microsoft Entra ID Hybrid Health AD FS service or deleting the AD FS service instance.\\nUsually the Microsoft Entra ID Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d and ID cb1056e2-e479-49de-ae31-7812af012ed8 is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"High\",\"query\":\"let AdminRecords = AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\\n props = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim('\\\"',tostring(Property.newValue))\\n )\\n| where RoleName contains \\\"Admin\\\";\\nAdminRecords\\n| summarize dcount(TargetUserPrincipalName) by bin(TimeGenerated, 1h)\\n| where dcount_TargetUserPrincipalName > 9\\n| join kind=rightsemi (\\n AdminRecords\\n | extend TimeWindow = bin(TimeGenerated, 1h)\\n) on $left.TimeGenerated == $right.TimeWindow\\n| extend InitiatedByUser = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), \\\"\\\")\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"customDetails\":{\"InitiatedByUser\":\"InitiatedByUser\",\"TargetUser\":\"TargetUserPrincipalName\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 1)[0]), \\\"\\\")\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)\\nby EventSource, EventName, UserIdentityType, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications.\\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/. \",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.3\",\"severity\":\"Low\",\"query\":\"let TeamsAddDel = (Op:string){\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation == Op\\n| where Members has (\\\"#EXT#\\\")\\n| mv-expand Members\\n| extend UPN = tostring(Members.UPN)\\n| where UPN has (\\\"#EXT#\\\")\\n| project TimeGenerated, Operation, UPN, UserId, TeamName, ClientIP\\n};\\nlet TeamsAdd = TeamsAddDel(\\\"MemberAdded\\\")\\n| project TimeAdded=TimeGenerated, Operation, MemberAdded = UPN, UserWhoAdded = UserId, TeamName, ClientIP;\\nlet TeamsDel = TeamsAddDel(\\\"MemberRemoved\\\")\\n| project TimeDeleted=TimeGenerated, Operation, MemberRemoved = UPN, UserWhoDeleted = UserId, TeamName, ClientIP;\\nTeamsAdd\\n| join kind=inner (TeamsDel) on $left.MemberAdded == $right.MemberRemoved\\n| where TimeDeleted > TimeAdded\\n| project TimeAdded, TimeDeleted, MemberAdded_Removed = MemberAdded, UserWhoAdded, UserWhoDeleted, TeamName, ClientIP\\n| extend MemberAdded_RemovedAccountName = tostring(split(MemberAdded_Removed, \\\"@\\\")[0]), MemberAdded_RemovedAccountUPNSuffix = tostring(split(MemberAdded_Removed, \\\"@\\\")[1])\\n| extend UserWhoAddedAccountName = tostring(split(UserWhoAdded, \\\"@\\\")[0]), UserWhoAddedAccountUPNSuffix = tostring(split(UserWhoAdded, \\\"@\\\")[1])\\n| extend UserWhoDeletedAccountName = tostring(split(UserWhoDeleted, \\\"@\\\")[0]), UserWhoDeletedAccountUPNSuffix = tostring(split(UserWhoDeleted, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"MemberAdded_Removed\"},{\"identifier\":\"Name\",\"columnName\":\"MemberAdded_RemovedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"MemberAdded_RemovedAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserWhoAdded\"},{\"identifier\":\"Name\",\"columnName\":\"UserWhoAddedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserWhoAddedAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserWhoDeleted\"},{\"identifier\":\"Name\",\"columnName\":\"UserWhoDeletedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserWhoDeletedAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurrences of external user accounts that are added to a Team and then removed within one hour.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| where TimeGenerated >= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated < ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\\n| project timestamp = Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"HostIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to Syslog Data\",\"description\":\"This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in Syslog data.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated > ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, '\\\\\\\\', -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated > ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, '\\\\\\\\', -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(UserName, @'\\\\')[1]), AccountNTDomain = tostring(split(UserName, @'\\\\')[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AWSCloudTrail logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without relevant IP address fields\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n // Select the IP entity based on availability of different IP fields\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now();\\n// Perform a join between IP indicators and AWSCloudTrail logs to identify potential malicious activity\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AWSCloudTrail\\n | where TimeGenerated >= ago(dt_lookBack)\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated // Rename time column for clarity\\n )\\n on $left.TI_ipEntity == $right.SourceIpAddress\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where AWSCloudTrail_TimeGenerated < ExpirationDateTime\\n // Group the results by IndicatorId and SourceIpAddress, and keep the log entry with the latest timestamp\\n | summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n // Select the desired output fields\\n | project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n // Rename the timestamp field\\n | extend timestamp = AWSCloudTrail_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"ObjectGuid\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 1)[0]), \\\"\\\")\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)\\nby EventSource, EventName, UserIdentityType, RecipientAccountId, AccountName, AccountUPNSuffix, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic.\\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255. \",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has 'CVE-2021-44228'\\n| parse ResourceDetails with * 'virtualMachines/' VirtualMachine '\\\"' *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMachine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"VirtualMachine\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228.\\nLog4j is an open-source Apache logging library that is used in many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bca9c877-2afc-4246-a26d-087ab1cdcd5f\",\"name\":\"bca9c877-2afc-4246-a26d-087ab1cdcd5f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let sha256Hashes = dynamic([\\\"5dd1ca0d471dee41eb3ea0b6ea117810f228354fc3b7b47400a812573d40d91d\\\", \\\"5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57\\\", \\\"6cff0bbd62efe99f381e5cc0c4182b0fb7a9a34e4be9ce68ee6b0d0ea3eee39c\\\"]);\\nlet signames = dynamic([\\\"Ransom:Win32/Prestige\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, Algorithm = \\\"SHA256\\\", AccountNTName = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend AccountNT = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, AccountNT, IPAddress, CommandLine, FileHash, Algorithm = \\\"SHA256\\\"\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ProcessId = tolong(EventDetail.[3].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", dynamic([\\\"\\\", \\\"\\\"])), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, ProcessId, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend AccountNT = UserName, InitiatingProcessId = ProcessId\\n| extend Process = tostring(split(Image, '\\\\\\\\', -1)[-1]), Algorithm = \\\"SHA256\\\", FileHash = tostring(Hashes[1]) \\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend AccountNT = InitiatingProcessAccountName, Computer = DeviceName\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine, Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend AccountNT = InitiatingProcessAccountName, Computer = DeviceName\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine, Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend AccountNT = InitiatingProcessAccountName, Computer = DeviceName\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine, Image = InitiatingProcessFolderPath\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (signames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n)\\n)\\n| extend AccountNTName = tostring(split(AccountNT, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(AccountNT, \\\"\\\\\\\\\\\")[1])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"Algorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHash\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessId\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountNT\"},{\"identifier\":\"Name\",\"columnName\":\"AccountNTName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Prestige ransomware IOCs Oct 2022\",\"description\":\"This query looks for file hashes and AV signatures associated with Prestige ransomware payload.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| where isnotempty(Process)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend AccountName = tostring(split(ActorUsername, @'\\\\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\\\\')[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\"\\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName ' (Organization)'\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName, ActorUPN, IpAddress\\n| where CurrentCount > ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_build?definitionId=', DefId),\\n strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', DefId))\\n| extend timestamp = StartTime\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren't manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cd8d946d-10a4-40a9-bac1-6d0a6c847d65\",\"name\":\"cd8d946d-10a4-40a9-bac1-6d0a6c847d65\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let BEC_Keywords = dynamic([ 'invoice','payment','paycheck','transfer','bank statement','bank details','closing','funds','bank account','account details','remittance','purchase','deposit',\\\"PO#\\\",\\\"Zahlung\\\",\\\"Rechnung\\\",\\\"Paiement\\\", \\\"virement bancaire\\\",\\\"Bankuberweisung\\\",'hacked','phishing']);\\n// Adjust this threshold based on your environment\\nlet sensitivity = 2.5;\\nlet Events = materialize(imFileEvent\\n| where TimeGenerated between(startofday(ago(14d))..endofday(ago(0d)))\\n| where User !~ \\\"app@sharepoint\\\"\\n| where EventType =~ \\\"FileAccessed\\\"\\n| extend OriginalEvent = column_ifexists(\\\"EventOriginalType\\\",\\\"Unknown\\\")\\n| where OriginalEvent !~ \\\"FileSyncDownloadedFull\\\"\\n| where EventProduct in (\\\"SharePoint 365\\\", \\\"Azure File Storage\\\", \\\"OneDrive\\\" , \\\"SharePoint\\\")\\n| where FilePath has_any(BEC_Keywords)\\n| extend _AuthDetails = column_ifexists(\\\"AuthorizationDetails\\\", \\\"None\\\")\\n| extend SPuser = case(gettype(_AuthDetails) == \\\"array\\\", tostring(todynamic(_AuthDetails)[0].principals[0].id), \\\"Unknown\\\")\\n| extend User = case(isnotempty(User), User, SPuser)\\n| where isnotempty(User));\\nEvents\\n| summarize dcount(FileName) by User, bin(startofday(TimeGenerated), 1d)\\n| summarize CountOfDocs = make_list(dcount_FileName, 10000), TimeStamp = make_list(TimeGenerated, 10000) by User\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfDocs, sensitivity, -1, 'linefit')\\n| mv-expand CountOfDocs to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\\n| where Anomalies > 0\\n| project TimeStamp, CountOfDocs, Baseline, Score, Anomalies, User\\n| join kind=inner(Events | extend TimeStamp = startofday(TimeGenerated)) on TimeStamp, User\\n| extend IpAddr = column_ifexists(\\\"IpAddr\\\", SrcIpAddr)\\n| extend Name = iif(User contains \\\"@\\\", split(User, \\\"@\\\")[0], split(User, \\\"\\\\\\\\\\\")[1])\\n| extend UPNSuffix = iif(User contains \\\"@\\\", split(User, \\\"@\\\")[1], \\\"\\\")\\n| extend NTDomain = iif(User contains \\\"@\\\", split(User, \\\"\\\\\\\\\\\")[0], \\\"\\\")\\n| project-reorder TimeGenerated, User, EventType, EventResult, EventProduct, FilePath, HttpUserAgent, IpAddr, CountOfDocs, Baseline, Score\",\"customDetails\":{\"Type\":\"EventType\",\"Result\":\"EventResult\",\"Product\":\"EventProduct\",\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddr\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FilePath\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Suspicious access of {{number_of_files_accessed}} BEC related documents by {{User}}\",\"alertDescriptionFormat\":\"This query looks for users (in this case {{User}}) with suspicious spikes in the number of files accessed (in this case {{number_of_files_accessed}} events) that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \\nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Collection\"],\"displayName\":\"Suspicious access of BEC related documents\",\"description\":\"This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks.\\nThe query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \\nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2023-02-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On the downloads page, click the 'details' button, and then replace just the filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/MSFTIPRanges/ServiceTags_Public.json\\\"] with(format='multijson')\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes)\\n| extend isipv4 = parse_ipv4(values_properties_addressPrefixes)\\n| extend isipv6 = parse_ipv6(values_properties_addressPrefixes)\\n| extend ip_type = case(isnotnull(isipv4), \\\"v4\\\", \\\"v6\\\")\\n| summarize make_list(values_properties_addressPrefixes) by ip_type\\n;\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where ResultType == 0\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n| extend isipv4 = parse_ipv4(IPAddress)\\n| extend ip_type = case(isnotnull(isipv4), \\\"v4\\\", \\\"v6\\\")\\n // Only get logons where the IP address is in an Azure range\\n| join kind=fullouter (azure_ranges) on ip_type\\n| extend ipv6_match = ipv6_is_in_any_range(IPAddress, list_values_properties_addressPrefixes)\\n| extend ipv4_match = ipv4_is_in_any_range(IPAddress, list_values_properties_addressPrefixes)\\n| where ipv4_match or ipv6_match \\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId, UserId\\n| extend AccountName = split(UserPrincipalName, \\\"@\\\")[0]\\n| extend UPNSuffix = split(UserPrincipalName, \\\"@\\\")[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}\",\"alertDescriptionFormat\":\"This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal sign in from another Azure Tenant\",\"description\":\"This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant, and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAZFWApplicationRule\\n| where Fqdn has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n),\\n(\\nAZFWNetworkRule\\n| where DestinationIp has_any (IPList)\\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] -Known Barium IP\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA256=' SHA265 ',' * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Known Diamond Sleet related maldoc hash\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for OfficeActivity events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\nlet OfficeActivity_ = materialize(OfficeActivity\\n | where isnotempty(ClientIP)\\n | where TimeGenerated >= ago(dt_lookBack)\\n | extend ClientIPValues = extract_all(@'\\\\[?(::ffff:)?(?P(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]%]+)(%\\\\d+)?\\\\]?([-:](?P\\\\d+))?', dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n | extend IPAddress = iff(array_length(ClientIPValues) > 0, tostring(ClientIPValues[0]), '')\\n | project-rename OfficeActivity_TimeGenerated = TimeGenerated);\\nlet ActivityIPs = OfficeActivity_ | summarize IPs = make_list(IPAddress);\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = materialize(ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n | extend TI_ipEntity = coalesce(NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress)\\n | where TI_ipEntity in (ActivityIPs)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now()\\n | where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\");\\nIP_Indicators\\n// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n| join kind=innerunique (OfficeActivity_)\\n on $left.TI_ipEntity == $right.IPAddress\\n// Filter out OfficeActivity events that occurred after the expiration of the corresponding indicator\\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\\n// Group the results by IndicatorId and keep the OfficeActivity event with the latest timestamp\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\\n// Select the desired output fields\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"TI_ipEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\"\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 1)[0]), \\\"\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid,\\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole\\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws \\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/229f71ba-d83b-42a5-b83b-11a641049ed1\",\"name\":\"229f71ba-d83b-42a5-b83b-11a641049ed1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// In User & Groups and in Applications, the following \\\"AccessType\\\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly\\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked.\\n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked.\\nAuditLogs\\n| where OperationName has \\\"Update a partner cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"b2bCollaborationOutbound\\\"\\n | extend PremodifiedOutboundSettings = trim('\\\"',tostring(Property.oldValue)),\\n ModifiedOutboundSettings = trim(@'\\\"',tostring(Property.newValue))\\n )\\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Collaboration Settings are changed for \\\"Users & Groups\\\" and for \\\"Applications\\\".\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tolower(tostring(split(NewProcessName, '\\\\\\\\')[-1]))\\n ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName = tostring(EventData.NewProcessName)\\n | extend shortFileName = tolower(tostring(split(NewProcessName, '\\\\\\\\')[-1]))\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n ));\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))\\n| join kind=innerunique (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data to identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| mv-apply Property = modifiedProperties on\\n (\\n where Property.displayName =~ \\\"LiveType\\\"\\n | extend targetDisplayName = tostring(Property.displayName),\\n NewDomainValue = tostring(Property.newValue)\\n )\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| mv-apply AdditionalDetail = AdditionalDetails on\\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2566e99f-ad0f-472a-b9ac-d3899c9283e6\",\"name\":\"2566e99f-ad0f-472a-b9ac-d3899c9283e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has_all ('reg', 'add', 'HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\', '/v','/t', 'REG_DWORD', '/d', '/f') and CommandLine has_any('DisableRealtimeMonitoring', 'UseTPMKey', 'UseTPMKeyPIN', 'UseAdvancedStartup', 'EnableBDEWithNoTPM', 'RecoveryKeyMessageSource'))\\n or CommandLine has_all ('reg', 'add', 'HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\', '/v','/t', 'REG_DWORD', '/d', '/f', 'RecoveryKeyMessage', 'Your drives are Encrypted!', '@')\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(DeviceProcessEvents \\n| where (InitiatingProcessCommandLine has_all(@'\\\"reg\\\"', 'add', @'\\\"HKLM\\\\SOFTWARE\\\\Policies\\\\', '/v','/t', 'REG_DWORD', '/d', '/f') \\n and InitiatingProcessCommandLine has_any('DisableRealtimeMonitoring', 'UseTPMKey', 'UseTPMKeyPIN', 'UseAdvancedStartup', 'EnableBDEWithNoTPM', 'RecoveryKeyMessageSource') ) \\n or InitiatingProcessCommandLine has_all('\\\"reg\\\"', 'add', @'\\\"HKLM\\\\SOFTWARE\\\\Policies\\\\', '/v','/t', 'REG_DWORD', '/d', '/f', 'RecoveryKeyMessage', 'Your drives are Encrypted!', '@')\\n| extend Account = strcat(InitiatingProcessAccountDomain, @'\\\\', InitiatingProcessAccountName), Computer = DeviceName\\n )\\n )\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @'\\\\')[1]), AccountNTDomain = tostring(split(Account, @'\\\\')[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0270 Registry IOC - September 2022\",\"description\":\"The query below identifies modification of registry by Dev-0270 actor to disable security feature as well as to add ransom notes\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2bc08fa-030a-4eea-931a-762d27c6a042\",\"name\":\"d2bc08fa-030a-4eea-931a-762d27c6a042\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Threshold = 1; \\n AzureDiagnostics\\n | where Category == \\\"ApplicationGatewayFirewallLog\\\"\\n | where action_s == \\\"Matched\\\"\\n | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s\\n | join kind = inner(\\n AzureDiagnostics\\n | where Category == \\\"ApplicationGatewayFirewallLog\\\"\\n | where action_s == \\\"Blocked\\\"\\n | parse Message with MessageText 'Total Inbound Score: ' TotalInboundScore ' - SQLI=' SQLI_Score ',XSS=' XSS_Score ',RFI=' RFI_Score ',LFI=' LFI_Score ',RCE=' RCE_Score ',PHPI=' PHPI_Score ',HTTP=' HTTP_Score ',SESS=' SESS_Score '): ' Blocked_Reason '; individual paranoia level scores:' Paranoia_Score\\n | where Blocked_Reason contains \\\"XSS\\\" and toint(TotalInboundScore) >=15 and toint(XSS_Score) >= 10 and toint(SQLI_Score) <= 5) on transactionId_g\\n | extend Uri = strcat(hostname_s,requestUri_s)\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g), Message = make_set(Message), Detail_Message = make_set(details_message_s), Detail_Data = make_set(details_data_s), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s, SQLI_Score, XSS_Score, TotalInboundScore\\n | where Total_TransactionId >= Threshold\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Uri\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIp_s\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Application Gateway WAF - XSS Detection\",\"description\":\"Identifies a match for XSS attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement.\\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Low\",\"query\":\"(union isfuzzy=true\\n (SecurityEvent\\n | where EventID == 4720\\n | where AccountType == \\\"User\\\"\\n | project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\n CreatedUser = tolower(TargetAccount), CreatedUserAccountName = TargetUserName, CreatedUserDomainName = TargetDomainName, CreatedUserSid = TargetSid, \\n AccountUsedToCreateUser = SubjectAccount, CreatedByAccountName = SubjectUserName, CreatedByDomainName = SubjectDomainName, SidofAccountUsedToCreateUser = SubjectUserSid\\n ),\\n (WindowsEvent\\n | where EventID == 4720\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType == \\\"User\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetUserName = tostring(EventData.TargetUserName), TargetDomainName = tostring(EventData.TargetDomainName) \\n | extend Activity=\\\"4720 - A user account was created.\\\"\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\n CreatedUser = tolower(TargetAccount), CreatedUserAccountName = TargetUserName, CreatedUserDomainName = TargetDomainName, CreatedUserSid = TargetSid, \\n AccountUsedToCreateUser = SubjectAccount, CreatedByAccountName = SubjectUserName, CreatedByDomainName = SubjectDomainName, SidofAccountUsedToCreateUser = SubjectUserSid\\n )\\n )\\n| join kind=inner\\n(\\n (union isfuzzy=true\\n (SecurityEvent \\n | where AccountType == \\\"User\\\"\\n // 4732 - A member was added to a security-enabled local group\\n | where EventID == 4732\\n // TargetSid is the builin Admins group: S-1-5-32-544\\n | where TargetSid == \\\"S-1-5-32-544\\\"\\n | project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\n GroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, AddedByAccountName = SubjectUserName, AddedByDomainName = SubjectDomainName,\\n CreatedUserSid = MemberSid\\n ),\\n ( WindowsEvent \\n // 4732 - A member was added to a security-enabled local group\\n | where EventID == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n //TargetSid is the builin Admins group: S-1-5-32-544\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | where AccountType == \\\"User\\\"\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | where TargetSid == \\\"S-1-5-32-544\\\"\\n | extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n | extend SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserName = tostring(EventData.SubjectUserName)\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend Activity=\\\"4732 - A member was added to a security-enabled local group.\\\"\\n | extend MemberSid = tostring(EventData.MemberSid)\\n | project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\n GroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, AddedByAccountName = SubjectUserName, AddedByDomainName = SubjectDomainName,\\n CreatedUserSid = MemberSid\\n )\\n )\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, CreatedUserAccountName, CreatedUserDomainName,\\nGroupAddTime, GroupAddEventID, GroupAddActivity, GroupName, GroupSid,\\nAccountUsedToCreateUser, SidofAccountUsedToCreateUser, CreatedByAccountName, CreatedByDomainName, \\nAccountThatAddedUser, SIDofAccountThatAddedUser, AddedByAccountName, AddedByDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUsedToCreateUser\"},{\"identifier\":\"Name\",\"columnName\":\"CreatedByAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"CreatedByDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountThatAddedUser\"},{\"identifier\":\"Name\",\"columnName\":\"AddedByAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AddedByDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUser\"},{\"identifier\":\"Name\",\"columnName\":\"CreatedUserAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"CreatedUserDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"192\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv24\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where OperationNameValue in~ (operationList)\\n| where ActivityStatusValue startswith \\\"Accept\\\"\\n| where Properties has 'vmSize'\\n| extend parsed_property= parse_json(tostring((parse_json(Properties).responseBody))).properties\\n| extend vmSize = tostring((parsed_property.hardwareProfile).vmSize)\\n| mv-apply token=tokens to typeof(string) on (where vmSize contains token)\\n| extend ComputerName = tostring((parsed_property.osProfile).computerName)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"ComputerName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure.\\nAn adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes.\\nFor Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords '}'*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords '}'*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords '}'*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\\\\\')[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"NRT Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/639aa695-9de9-4921-aa6b-6fdc35cb1eee\",\"name\":\"639aa695-9de9-4921-aa6b-6fdc35cb1eee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs \\n| where OperationName contains \\\"Update user\\\"\\n| where TargetResources[0].modifiedProperties[0].oldValue contains \\\"Guest\\\"\\n| extend InvitedUser = TargetResources[0].userPrincipalName\\n// Uncomment the below line if you want to get alerts for changed usertype from specific domains or users\\n//| where InvitedUser has_any (\\\"CUSTOM DOMAIN NAME#\\\", \\\"#EXT#\\\")\\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \\n| extend OldUserType = TargetResources[0].modifiedProperties[0].oldValue contains \\\"Guest\\\"\\n| extend NewUserType = TargetResources[0].modifiedProperties[0].newValue contains \\\"Member\\\"\\n| mv-expand OldUserType = TargetResources[0].modifiedProperties[0].oldValue to typeof(string)\\n| mv-expand NewUserType = TargetResources[0].modifiedProperties[0].newValue to typeof(string)\\n| where OldUserType != NewUserType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatedByActionUserInformation\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatedByIPAdress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Guest accounts changed user type from guest to members in AzureAD\",\"description\":\"Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are changed from user type as should be in AzureAD to member and gain other rights in the tenant.\",\"lastUpdatedDateUTC\":\"2022-10-23T00:00:00Z\",\"createdDateUTC\":\"2022-10-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"High\",\"query\":\"let UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet UARegexMinimalString=dynamic(['{','%7b', '%7B']);\\nlet UARegex = @'(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)';\\n(union isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\\n),\\n(AzureDiagnostics\\n| where Category in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = column_ifexists(\\\"clientIp_s\\\",clientIP_s), Type, column_ifexists(\\\"originalHost_s\\\",host_s), Url = requestUri_s, HttpStatus = column_ifexists(\\\"httpStatusDetails_s\\\",httpStatus_d), column_ifexists(\\\"transactionId_g\\\",trackingReference_s), ruleName_s, ResourceType, ResourceId\\n),\\n(\\nW3CIISLog\\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, Url = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User agent search for log4j exploitation attempt\",\"description\":\"This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern.\\nLog4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic(['','']);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has 'Administrators'\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith '\\\\\\\\Project Administrators' or Details endswith '\\\\\\\\Project Collection Administrators')\\n| parse Details with AddedIdentity ' was added as a member of group [' EntityName ']\\\\\\\\' GroupName\\n| extend Level = iif(GroupName == 'Project Collection Administrators', 'Organization', 'Project'), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == 'Organization', 'High', 'Medium'), AlertDetails = strcat('At ', TimeGenerated, ' UTC ', ActorUPN, '/', ActorDisplayName, ' added ', AddedIdentity, ' to the ', EntityName, ' ', Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == 'Organization'\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism,\\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(Adder, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Adder, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Adder\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ActorIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * 'AttributeLDAPDisplayName\\\">' AttributeLDAPDisplayName \\\"<\\\" *\\n| parse EventData with * 'ObjectClass\\\">' ObjectClass \\\"<\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" and ObjectClass == \\\"user\\\"\\n| parse EventData with * 'ObjectDN\\\">' ObjectDN \\\"<\\\" *\\n| parse EventData with * 'AttributeValue\\\">' AttributeValue \\\"<\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Name (SPN) Assigned to User Account\",\"description\":\"This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \\nThis query checks for event id 5136, that the Object Class field is \\\"user\\\" and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']);\\nlet IPList = dynamic(['185.225.69.69']);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = Fqdn\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Midnight Blizzard - Domain and IP IOCs - March 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(lookBack) and TimeGenerated < ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix 'rundll32.exe'\\n| where CommandLine has_any ('Execute','RegRead','window.close')\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend AccountName = tostring(split(User, @'\\\\')[1]), AccountNTDomain = tostring(split(User, @'\\\\')[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~'Add member to role request denied (PIM activation)'\\n| mv-apply ResourceItem = TargetResources on \\n (\\n where ResourceItem.type =~ \\\"Role\\\"\\n | extend Role = trim(@'\\\"',tostring(ResourceItem.displayName))\\n )\\n| mv-apply ResourceItem = TargetResources on \\n (\\n where ResourceItem.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = trim(@'\\\"',tostring(ResourceItem.userPrincipalName))\\n )\\n| where isnotempty(InitiatedBy.user)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])\\n| project-reorder TimeGenerated, TargetUserPrincipalName, Role, OperationName, Result, ResultDescription\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c895c5b9-0fc6-40ce-9830-e8818862f2d5\",\"name\":\"c895c5b9-0fc6-40ce-9830-e8818862f2d5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// In User & Groups and in Applications, the following \\\"AccessType\\\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly\\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked.\\n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked.\\nAuditLogs\\n| where OperationName has \\\"Update a partner cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"b2bCollaborationInbound\\\"\\n | extend PremodifiedInboundSettings = trim('\\\"',tostring(Property.oldValue)),\\n ModifiedInboundSettings = trim(@'\\\"',tostring(Property.newValue))\\n )\\n| where PremodifiedInboundSettings != ModifiedInboundSettings\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Collaboration Settings are changed for \\\"Users & Groups\\\" and for \\\"Applications\\\".\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0433c8a3-9aa6-4577-beef-2ea23be41137\",\"name\":\"0433c8a3-9aa6-4577-beef-2ea23be41137\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | where TimeGenerated > ago(2d)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\" or GroupMembership has \\\"Admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName has \\\"Add eligible member\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(TargetUserPrincipalName) in (admin_users)\\n | extend TargetAadUserId = tostring(TargetResources[0].id)\\n | extend Group = tostring(TargetResources[0].displayName)\\n | extend RoleAddedTo = iif(isnotempty(TargetUserPrincipalName), TargetUserPrincipalName, Group)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend RoleAddedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | mv-expand mod_props\\n | where mod_props.displayName == \\\"Role.DisplayName\\\"\\n | extend UserAgent = tostring(AdditionalDetails[0].value)\\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, TargetUserPrincipalName, RoleAddedTo, RoleAdded, RoleAddedBy, InitiatingUserPrincipalName, InitiatingAppName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Account Permissions Changed\",\"description\":\"Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\\nReview any modifications to ensure they were made legitimately.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2024-04-05T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"REDACTED\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"Medium\",\"query\":\"let authenticationWindow = 20m;\\nlet sensitivity = 2.5;\\nSigninLogs\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\"), IPAddresses = make_set(IPAddress,1000)\\n by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName\\n| extend FailureSuccessDiff = FailureCount - SuccessCount\\n| where FailureSuccessDiff > 0\\n| summarize Diff = make_list(FailureSuccessDiff, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserDisplayName, UserPrincipalName//, tostring(IPAddresses)\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(Diff, sensitivity, -1, 'linefit') \\n| mv-expand Diff to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\\n| where Anomalies > 0\\n| summarize by UserDisplayName, UserPrincipalName, Anomalies, Score, Baseline, FailureToSuccessDiff = Diff\\n| join kind=leftouter (\\n SigninLogs\\n | where AppDisplayName =~ \\\"Windows Sign In\\\"\\n | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n | summarize StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IPAddresses = make_set(IPAddress,100), \\n OS = make_set(OS,20), \\n Browser = make_set(Browser,20), \\n City = make_set(City,100), \\n ResultType = make_set(ResultType,100)\\n by UserDisplayName, UserPrincipalName, UserId, AppDisplayName\\n ) on UserDisplayName, UserPrincipalName\\n| project-away UserDisplayName1, UserPrincipalName1\\n| extend IPAddressFirst = tostring(IPAddresses[0])\\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddressFirst\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2024-04-05T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\nlet dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now();\\n// Perform a join between IP indicators and CommonSecurityLog events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n CommonSecurityLog\\n | where TimeGenerated >= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.CS_ipEntity\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where CommonSecurityLog_TimeGenerated < ExpirationDateTime\\n // Group the results by IndicatorId and CS_ipEntity, and keep the log entry with the latest timestamp\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\\n // Select the desired output fields\\n | project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CS_ipEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to CommonSecurityLog\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"// Adjust this figure to adjust how sensitive this detection is\\nlet sensitivity = 2.5;\\nlet AuthEvents = materialize(\\nunion isfuzzy=True SigninLogs, AADNonInteractiveUserSignInLogs\\n| where TimeGenerated > ago(7d)\\n| where ResultType == 0\\n| extend LocationDetails = LocationDetails_dynamic\\n| extend Location = strcat(LocationDetails.countryOrRegion, \\\"-\\\", LocationDetails.state,\\\"-\\\", LocationDetails.city)\\n| where Location != \\\"--\\\");\\nAuthEvents\\n| summarize dcount(Location) by AppDisplayName, AppId, UserPrincipalName, UserId, bin(startofday(TimeGenerated), 1d)\\n| where dcount_Location > 2\\n| make-series CountOfLocations = sum(dcount_Location) on TimeGenerated step 1d by AppId, UserId\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfLocations, sensitivity, -1, 'linefit')\\n| mv-expand CountOfLocations to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\\n| where Anomalies > 0 and Baseline > 0\\n| join kind=inner( AuthEvents | extend TimeStamp = startofday(TimeGenerated)) on UserId, AppId\\n| extend SignInDetails = bag_pack(\\\"TimeGenerated\\\", TimeGenerated1, \\\"Location\\\", Location, \\\"Source\\\", IPAddress, \\\"Device\\\", DeviceDetail_dynamic)\\n| summarize SignInDetailsSet=make_set(SignInDetails, 1000) by UserId, UserPrincipalName, CountOfLocations, TimeGenerated, AppId, AppDisplayName\\n| extend Name = split(UserPrincipalName, \\\"@\\\")[0], UPNSuffix = split(UserPrincipalName, \\\"@\\\")[1]\",\"customDetails\":{\"Application\":\"AppDisplayName\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}\",\"alertDescriptionFormat\":\"This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \\ndifferent locations.\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an individual application.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"REDACTED\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications.\\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService =~ \\\"Core Directory\\\" and OperationName =~ \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"NRT Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'proxylogs'\\n| where DvcAction =~ 'Allowed'\\n| where UrlCategory has_any ('Dynamic and Residential', 'Personal VPN')\\n| project TimeGenerated, SrcIpAddr, Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Identities\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7feb859-f03e-4e8d-8b21-617be0213b13\",\"name\":\"d7feb859-f03e-4e8d-8b21-617be0213b13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where OperationName =~ \\\"Admin registered security info\\\"\\n | where ResultReason =~ \\\"Admin registered temporary access pass method for user\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(TargetUserPrincipalName) in (admin_users)\\n | extend TargetAadUserId = tostring(TargetResources[0].id)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Addition of a Temporary Access Pass to a Privileged Account\",\"description\":\"Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\\n Review any TAP creations to ensure they were used legitimately.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Low\",\"query\":\"imProcess\\n| where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", \\\"-q\\\")\\n| where Process !endswith \\\"sdelete.exe\\\"\\n| where CommandLine !has \\\"sdelete\\\"\\n| extend AccountName = tostring(split(ActorUsername, @'\\\\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\\\\')[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DvcDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host's C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"name\":\"9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category == \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | where TargetResources has \\\"AppIdentifierUri\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend TargetAppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | where mod_props.displayName has \\\"AppIdentifierUri\\\"\\n | extend OldURI = tostring(mod_props.oldValue)\\n | extend NewURI = tostring(mod_props.newValue)\\n | extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURI\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURI\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application ID URI Changed\",\"description\":\"Detects changes to an Application ID URI.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c701f94-783c-4cd4-bc9b-3b3334976090\",\"name\":\"2c701f94-783c-4cd4-bc9b-3b3334976090\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let suspiciousCmdLineKeywords = dynamic([\\\"http://\\\", \\\"https://\\\"]);\\n// Identify exchange servers based on known paths\\n// Summarize these to get a list of exchange server hostnames\\nlet exchangeServers = W3CIISLog\\n| where csUriStem has_any(\\\"/owa/\\\",\\\"/ews/\\\",\\\"/ecp/\\\",\\\"/autodiscover/\\\")\\n// Only where successful, rule out failed scanning\\n| where scStatus startswith \\\"2\\\"\\n| summarize by Computer;\\nDeviceProcessEvents\\n| where DeviceName in~ (exchangeServers)\\n// Where the IIS worker process initiated CMD or PowerShell\\n| where InitiatingProcessParentFileName == \\\"w3wp.exe\\\"\\n| where InitiatingProcessFileName has_any(\\\"cmd.exe\\\", \\\"powershell.exe\\\")\\n// Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation\\n| where ProcessCommandLine has_any(suspiciousCmdLineKeywords)\\n| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName\\n| extend Account = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Exchange Worker Process Making Remote Call\",\"description\":\"This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process initiates a call out to a remote URL using either cmd.exe or powershell.exe.\\nThis behaviour was described as post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was use to download additional tools to the server. This suspicious activity is generic.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f40ed57-f54b-462f-906a-ac3a89cc90d4\",\"name\":\"1f40ed57-f54b-462f-906a-ac3a89cc90d4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Materialize a table named \\\"Azure_Bruforce\\\" containing Azure Portal sign-in logs within the last 1 day\\nlet Azure_Bruforce = materialize (\\n SigninLogs\\n// Filter sign-in logs related to the Azure Portal\\n | where AppDisplayName == \\\"Azure Portal\\\"\\n// Exclude entries with empty OriginalRequestId\\n | where isnotempty(OriginalRequestId)\\n// Summarize various counts and sets based on brute force criteria\\n | summarize \\n AzureSuccessfulEvent = countif(ResultType == 0), \\n AzureFailedEvent = countif(ResultType != 0), \\n totalAzureLoginEventId = dcount(OriginalRequestId), \\n AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0), \\n AzureSuccessfuleventsCount = dcountif(OriginalRequestId, ResultType == 0),\\n AzureSetOfFailedevents = makeset(iff(ResultType != 0, OriginalRequestId, \\\"\\\"), 5), \\n AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, \\\"\\\"), 5) \\n by \\n IPAddress, \\n UserPrincipalName, \\n bin(TimeGenerated, 1min), \\n UserAgent,\\n ConditionalAccessStatus,\\n OperationName,\\n RiskDetail,\\n AuthenticationRequirement,\\n ClientAppUsed\\n// Extracting the name and UPN suffix from UserPrincipalName\\n | extend\\n Name = tostring(split(UserPrincipalName, '@')[0]),\\n UPNSuffix = tostring(split(UserPrincipalName, '@')[1]));\\n// Materialize a table named \\\"AWS_Bruforce\\\" containing AWS CloudTrail events related to ConsoleLogins within the last 1 day\\nlet AWS_Bruforce = materialize (\\n AWSCloudTrail \\n// Filter CloudTrail events related to ConsoleLogin\\n | where EventName == \\\"ConsoleLogin\\\" \\n// Extract ActionType from ResponseElements JSON\\n | extend ActionType = tostring(parse_json(ResponseElements).ConsoleLogin) \\n// Summarize various counts and sets based on brute force criteria \\n | summarize \\n AWSSuccessful=countif(ActionType == \\\"Success\\\"), \\n AWSFailed = countif(ActionType == \\\"Failure\\\"), \\n totalAwsEventId= dcount(AwsEventId), \\n AWSFailedEventsCount = dcountif(AwsEventId, ActionType == \\\"Failure\\\"), \\n AWSSuccessfuleventsCount = dcountif(AwsEventId, ActionType == \\\"Success\\\"), \\n AWSFailedevents = makeset(iff(ActionType == \\\"Failure\\\", AwsEventId, \\\"\\\"), 5), \\n AWSSuccessfulEvents = makeset(iff(ActionType == \\\"Success\\\", AwsEventId, \\\"\\\"), 5) \\n// Grouping by various attributes\\n by \\n SourceIpAddress, \\n UserIdentityUserName,\\n bin(TimeGenerated, 1min), \\n UserAgent );\\n// Joining the Azure_Bruforce and AWS_Bruforce tables on matching IP addresses and UserAgents\\nAzure_Bruforce\\n| join kind=inner AWS_Bruforce on $left.IPAddress == $right.SourceIpAddress and $left.UserAgent == $right.UserAgent\\n// Filtering based on conditions for failed and successful events\\n| where (AWSFailedEventsCount >= 4 and AzureFailedEventsCount >= 5) and ((AzureSuccessfuleventsCount >= 1 and AzureFailedEvent > AzureSuccessfulEvent) or (AWSSuccessfuleventsCount >= 1 and AWSFailedEventsCount > AWSSuccessfuleventsCount))\",\"customDetails\":{\"AwsUser\":\"UserIdentityUserName\",\"UserAgent\":\"UserAgent\",\"AzureUser\":\"UserPrincipalName\",\"AzureClientAppUsed\":\"ClientAppUsed\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Cross-Cloud Password Spray detection\",\"description\":\"This detection focuses on identifying potential cross-cloud brute force / Password Spray attempts involving Azure and AWS platforms. It monitors sign-in activities within the Azure Portal and AWS ConsoleLogins where brute force attempts are successful on both platforms in a synchronized manner.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\",\\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\",\\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\",\\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend HostName = iff(Computer has '.', substring(Computer,0,indexof(Computer,'.')),Computer)\\n| extend DnsDomain = iff(Computer has '.', substring(Computer,indexof(Computer,'.')+1),\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'proxylogs'\\n| where DvcAction =~ 'Allowed'\\n| where UrlCategory contains 'Adult Themes' or\\n UrlCategory contains 'Adware' or\\n UrlCategory contains 'Alcohol' or\\n UrlCategory contains 'Illegal Downloads' or\\n UrlCategory contains 'Drugs' or\\n UrlCategory contains 'Child Abuse Content' or\\n UrlCategory contains 'Hate/Discrimination' or\\n UrlCategory contains 'Nudity' or\\n UrlCategory contains 'Pornography' or\\n UrlCategory contains 'Proxy/Anonymizer' or\\n UrlCategory contains 'Sexuality' or\\n UrlCategory contains 'Tasteless' or\\n UrlCategory contains 'Terrorism' or\\n UrlCategory contains 'Web Spam' or\\n UrlCategory contains 'German Youth Protection' or\\n UrlCategory contains 'Illegal Activities' or\\n UrlCategory contains 'Lingerie/Bikini' or\\n UrlCategory contains 'Weapons'\\n| project TimeGenerated, SrcIpAddr, Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Identities\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity = EmailSenderAddress\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD\\n | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| where ProofpointPOD_TimeGenerated < ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = @\\\"(?:\\\\?|&)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated > ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n | where TimeGenerated > ago(requestLookback)\\n | where isnotempty(RequestURL)\\n // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Windows host username encoded in base64 web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\\nThis technique was seen usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1d;\\nlet queryperiod = 7d;\\nOfficeActivity\\n| where TimeGenerated > ago(queryperiod)\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n//| where Operation in (\\\"Set-Mailbox\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\")\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(bag_pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict='replace_source')\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@'\\\\[?(::ffff:)?(?P(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\\\\d+))?', dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount > 1 and EndTime > ago(queryfrequency)\\n| mv-expand UserId to typeof(string)\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6\",\"name\":\"2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"BehaviorAnalytics\\n// User modification is expected from this account so focus on logons\\n| where ActivityType =~ \\\"LogOn\\\"\\n| where UserName startswith \\\"Sync_\\\" and UsersInsights.AccountDisplayName =~ \\\"On-Premises Directory Synchronization Service Account\\\"\\n// Filter out this expected activity\\n| where ActivityInsights.App !~ \\\"Microsoft Azure Active Directory Connect\\\"\\n| where InvestigationPriority > 0\\n| extend Name = split(UserPrincipalName, \\\"@\\\")[0], UPNSuffix = split(UserPrincipalName, \\\"@\\\")[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIPAddress\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DestinationDevice\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Suspicious Sign In by AAD Connect Sync Account {{UserPrincipalName}} from {{SourceIPAddress}}\",\"alertDescriptionFormat\":\"This query looks for sign ins by the Azure AD Connect Sync account to Azure where properties about the logon are anomalous.\\nThis query uses Microsoft Sentinel's UEBA features to detect these suspicious properties.\\nA threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be \\nreviewed to ensure that the log in came was from a legitimate source.\\nIn this case {{UserPrincipalName}} logged in from {{SourceIPAddress}}.\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"Suspicious Sign In by Entra ID Connect Sync Account\",\"description\":\"This query looks for sign ins by the Microsoft Entra ID Connect Sync account to Azure where properties about the logon are anomalous.\\nThis query uses Microsoft Sentinel's UEBA features to detect these suspicious properties.\\nA threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be \\nreviewed to ensure that the log in came was from a legitimate source.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-03-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| where TimeGenerated >= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = column_ifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\\n| project timestamp = CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"PA_Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to PaloAlto Data\",\"description\":\"This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in PaloAlto Data.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend HostName = iff(Computer has '.', substring(Computer,0,indexof(Computer,'.')),Computer)\\n| extend DnsDomain = iff(Computer has '.', substring(Computer,indexof(Computer,'.')+1),\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.7\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nlet Signins = materialize(union isfuzzy=true\\n( SigninLogs | where TimeGenerated >= ago(dt_lookBack)),\\n( AADNonInteractiveUserSignInLogs | where TimeGenerated >= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails))\\n| where isnotempty(UserPrincipalName) and UserPrincipalName matches regex emailregex\\n| extend UserPrincipalName = tolower(UserPrincipalName)\\n| extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend SigninLogs_TimeGenerated = TimeGenerated);\\nlet SigninUPNs = Signins | distinct UserPrincipalName | summarize make_list(UserPrincipalName);\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated >= ago(ioc_lookBack)\\n| where EmailSenderAddress in (SigninUPNs)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\"\\n| join kind=innerunique (Signins) on $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated < ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend Name = tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])\\n| extend timestamp = SigninLogs_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major = ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now();\\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated < ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, Domain, DnsQuery, DnsQueryType\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Domain\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2024-10-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| where msg_s has_any (DomainNames)\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n| parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n| parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n| parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\n| extend IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| where msg_s has_any (DomainNames)\\n| parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n| extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n| extend IPCustomEntity = SourceIP\\n| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n| order by TimeGenerated\\n),\\n(AZFWApplicationRule\\n| where Fqdn has_any (DomainNames)\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Emerald Sleet domains included in DCU takedown\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for VMConnection events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now();\\n// Perform a join between IP indicators and VMConnection events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n VMConnection\\n | where TimeGenerated >= ago(dt_lookBack)\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.RemoteIp\\n // Filter out VMConnection events that occurred after the expiration of the corresponding indicator\\n | where VMConnection_TimeGenerated < ExpirationDateTime\\n // Group the results by IndicatorId and keep the VMConnection event with the latest timestamp\\n | summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\\n // Select the desired output fields\\n | project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n | extend timestamp = VMConnection_TimeGenerated, HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"RemoteIp\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to VMConnection\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in VMConnection.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity.\\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html \\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html \\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html ' \",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"imRegistry\\n | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s >= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IpAddress);\\nlet wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains 'auth' and ProcessName != 'sudo' and SyslogMessage has 'from' and not(SyslogMessage has_any ('Disconnecting', 'Disconnected', 'Accepted', 'disconnect', @'[preauth]'))\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ > signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timestamp = TimeGenerated, Type = Type\\n| extend AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Microsoft Entra ID from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud.\\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service)\\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build.\\nAs variables are often changed by users, just detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed modifying them before.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572f3951-5fa3-4e42-9640-fe194d859419\",\"name\":\"572f3951-5fa3-4e42-9640-fe194d859419\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet lookback = 7d;\\nlet known_useragents = dynamic([]);\\nDynamics365Activity\\n| where TimeGenerated > ago(timeframe)\\n| extend Message = tostring(split(OriginalObjectId, ' ')[0])\\n| where Message =~ \\\"UserSignIn\\\"\\n| extend IPAddress = tostring(split(ClientIP, \\\":\\\")[0])\\n| where isnotempty(UserAgent)\\n// Exclude user agents with a render agent to reduce noise\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| join kind=leftanti(\\nOfficeActivity\\n| where TimeGenerated > ago(lookback)\\n| where UserAgent !in~ (known_useragents))\\non UserAgent\\n| summarize MostRecentActivity=max(TimeGenerated), IPs=make_set(IPAddress), Users=make_set(UserId), Actions=make_set(OriginalObjectId) by UserAgent\\n| extend timestamp = MostRecentActivity\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New Office User Agent in Dynamics 365\",\"description\":\"Detects users accessing Dynamics from a User Agent that has not been seen in any Office 365 workloads in the last 7 days. Has configurable filter for known good user agents such as PowerApps.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService =~ \\\"Core Directory\\\" and OperationName =~ \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\" and Identity != \\\"MS-PIM-Fairfax\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2024-10-18T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"Low\",\"query\":\"let fileAccessThrehold = 10;\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend MemberAdded = tostring(parse_json(Members)[0].UPN)\\n| where MemberAdded contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, MemberAdded, UserWhoAdded = UserId, TeamName\\n| join kind = inner (\\n OfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n | extend MemberAdded = tostring(parse_json(Members)[0].UPN)\\n | where MemberAdded contains (\\\"#EXT#\\\")\\n | project TimeDeleted=TimeGenerated, Operation, MemberAdded, UserWhoDeleted = UserId, TeamName\\n ) on MemberAdded\\n| where TimeDeleted > TimeAdded\\n| join kind=inner (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n | extend MemberAdded = UserId\\n | join kind = inner (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where Operation == \\\"FileAccessed\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | summarize FileAccessCount = count() by OfficeObjectId\\n | where FileAccessCount > fileAccessThrehold\\n ) on $left.OfficeObjectId == $right.OfficeObjectId\\n )on MemberAdded\\n| project-away MemberAdded1, MemberAdded2, OfficeObjectId1, Operation1, Operation2, TeamName1, TeamName2\\n| extend MemberAddedAccountName = tostring(split(MemberAdded, \\\"@\\\")[0]), MemberAddedAccountUPNSuffix = tostring(split(MemberAdded, \\\"@\\\")[1])\\n| extend UserWhoAddedAccountName = tostring(split(UserWhoAdded, \\\"@\\\")[0]), UserWhoAddedAccountUPNSuffix = tostring(split(UserWhoAdded, \\\"@\\\")[1])\\n| extend UserWhoDeletedAccountName = tostring(split(UserWhoDeleted, \\\"@\\\")[0]), UserWhoDeletedAccountUPNSuffix = tostring(split(UserWhoDeleted, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"MemberAdded\"},{\"identifier\":\"Name\",\"columnName\":\"MemberAddedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"MemberAddedAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserWhoAdded\"},{\"identifier\":\"Name\",\"columnName\":\"UserWhoAddedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserWhoAddedAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserWhoDeleted\"},{\"identifier\":\"Name\",\"columnName\":\"UserWhoDeletedAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserWhoDeletedAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Accessed files shared by temporary external user\",\"description\":\"This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2024-10-28T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (SharePoint)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectDomainName, SubjectAccount, SubjectUserSid, SubjectLogonId, \\nTargetUserName, TargetDomainName, TargetAccount, TargetSid, UserPrincipalName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Fake computer account created\",\"description\":\"This query detects domain user accounts creation (event ID 4720) where the username ends with $. \\nAccounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != 'UserLoggedIn'\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts > 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 2020\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"REDACTED\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| mv-apply TargetResource=TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend ModifiedProperties = TargetResource.modifiedProperties,\\n AppDisplayName = tostring(TargetResource.displayName),\\n AppClientId = tolower(tostring(TargetResource.id))\\n )\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| mv-apply Properties=ModifiedProperties on \\n (\\n where Properties.displayName =~ \\\"ConsentAction.Permissions\\\"\\n | extend ConsentFull = tostring(Properties.newValue)\\n | extend ConsentFull = trim(@'\\\"',tostring(ConsentFull))\\n )\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull has \\\"offline_access\\\" and ConsentFull has_any (\\\"Files.Read\\\", \\\"Mail.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\", \\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\")\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantInitiatedByAppName = tostring(InitiatedBy.app.displayName)\\n| extend GrantInitiatedByAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend GrantInitiatedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend GrantInitiatedByAadUserId = tostring(InitiatedBy.user.id)\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(GrantInitiatedByUserPrincipalName), GrantInitiatedByUserPrincipalName, GrantInitiatedByAppName)\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| mv-apply TargetResource=TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend ModifiedProperties = TargetResource.modifiedProperties,\\n AppClientId = tolower(TargetResource.id)\\n )\\n| mv-apply ModifiedProperties=TargetResource.modifiedProperties on \\n (\\n where ModifiedProperties.displayName =~ \\\"AppAddress\\\" and ModifiedProperties.newValue has \\\"AddressType\\\"\\n | extend AppReplyURLs = ModifiedProperties.newValue\\n )\\n | distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n | mv-apply TargetResource=TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\\n | extend GrantAuthentication = tostring(TargetResource.displayName)\\n )\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend Name = tostring(split(GrantInitiatedByUserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedByUserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GrantInitiatedByUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GrantIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now();\\n// Perform a join between IP indicators and AzureDiagnostics logs for SQL Security Audit events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated >= ago(dt_lookBack)\\n | where ResourceProvider == 'MICROSOFT.SQL'\\n | where Category == 'SQLSecurityAuditEvents'\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\")\\n | extend Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\")\\n | extend Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\")\\n | extend HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n )\\n on $left.TI_ipEntity == $right.ClientIP\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where SQLSecurityAuditEvents_TimeGenerated < ExpirationDateTime\\n // Group the results by IndicatorId and ClientIP, and keep the log entry with the latest timestamp\\n | summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n // Select the desired output fields\\n | project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n // Rename the timestamp field\\n | extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to Azure SQL Security Audit Events\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SQL Security Audit Events.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureSql\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists('ObjectName', \\\"\\\"), OperationType = column_ifexists('OperationType', \\\"\\\"), ObjectValueName = column_ifexists('ObjectValueName', \\\"\\\")\\n| where ObjectName has 'Schedule\\\\\\\\TaskCache\\\\\\\\Tree' and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // %%1906 - Registry value deleted\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(TargetAccount, @'\\\\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\\\\')[0])\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Scheduled Task Hide\",\"description\":\"This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, a Watchlist can be used\\n//let DCServersList = _GetWatchlist('HostName-DomainControllers') | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS type of your Domain Controllers\\n//| where OSType == 'Windows'\\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing Domain Controller Heartbeat\",\"description\":\"This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n (CommonSecurityLog\\n | where Message has_any (DomainNames)\\n | parse Message with * '(' DNSName ')' *\\n | extend AccountName = SourceUserID, DeviceName, IPAddress = SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | where DnsQuery has_any (DomainNames)\\n | extend IPAddress = SrcIpAddr, DeviceName = Dvc\\n ),\\n (VMConnection\\n | where RemoteDnsCanonicalNames has_any (DomainNames)\\n | parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n | extend IPAddress = RemoteIp, DeviceName = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n | where DestinationHost has_any (DomainNames)\\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | project TimeGenerated,Resource, msg_s, Type\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (DomainNames)\\n | extend DNSName = Request_Name\\n | extend IPAddress = ClientIP\\n ),\\n (AZFWApplicationRule\\n | where isnotempty(Fqdn)\\n | where Fqdn has_any (DomainNames) \\n | extend DNSName = Fqdn \\n | extend IPAddress = SourceIp\\n ),\\n (AZFWDnsQuery\\n | where isnotempty(QueryName)\\n | where QueryName has_any (DomainNames)\\n | extend DNSName = QueryName\\n | extend IPAddress = SourceIp\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n | extend IPAddress=IpAddr, DeviceName=Hostname, AccountName = tostring(split(User, \\\"@\\\")[0]), AccountDomain = tostring(split(User, \\\"@\\\")[1])\\n )\\n)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Forest Blizzard group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Forest Blizzard group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n) on $left.DeviceName == $right.CompromisedEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as\\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * 'TargetObject\\\">' TargetObject \\\"<\\\" * 'Details\\\">' Details \\\"<\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\\n| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"name\":\"4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let Hive_threats = dynamic([\\\"Ransom:Win64/Hive\\\", \\\"Ransom:Win32/Hive\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by bin(TimeGenerated, 1d), DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Hive Ransomware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Hive Ransomware.\\nIn Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9adbd1c3-a4be-44ef-ac2f-503fd25692ee\",\"name\":\"9adbd1c3-a4be-44ef-ac2f-503fd25692ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 100;\\nlet timeRange = ago(7d);\\nlet timeBuffer = 1;\\nSigninLogs \\n| where TimeGenerated > timeRange\\n| where ResultType == \\\"50057\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, AppId\\n| order by disabledAccountLoginAttempts desc\\n| join kind=inner (\\n // IPs are considered suspicious - and any related successful sign-ins are detected\\n SigninLogs\\n | where TimeGenerated > timeRange\\n | where ResultType == 0\\n | summarize successSigninStart = min(TimeGenerated), successSigninEnd = max(TimeGenerated), successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount < threshold\\n) on IPAddress \\n// IPs where attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where successfulAccountSigninCount != 0\\n// Successful Account Signins occur within the same lookback period as the failed \\n| extend SuccessBeforeFailure = iff(successSigninStart >= StartTime and successSigninEnd <= EndTime, true, false) \\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, successSigninStart, successSigninEnd, AppId\\n| order by disabledAccountLoginAttempts\\n// Break up the string of Succesfully signed into accounts into individual events\\n| mvexpand successfulAccountSigninSet\\n| extend JoinedOnIp = IPAddress\\n| join kind = inner (\\n OfficeActivity\\n | where TimeGenerated > timeRange\\n | where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\") and not(UserId has_any ('NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\\\\\\\SYSTEM (w3wp)', 'devilfish-applicationaccount'))\\n // Remove port from the end of the IP and/or square brackets around IP, if they exist \\n | extend JoinedOnIp = case(\\n ClientIP matches regex @'\\\\[((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\]-\\\\d{1,5}', tostring(extract('\\\\\\\\[([0-9]+\\\\\\\\.[0-9]+\\\\\\\\.[0-9]+)\\\\\\\\]-[0-9]+', 1, ClientIP)),\\n ClientIP matches regex @'\\\\[((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\]', tostring(extract('\\\\\\\\[([0-9]+\\\\\\\\.[0-9]+\\\\\\\\.[0-9]+)\\\\\\\\]', 1, ClientIP)), \\n ClientIP matches regex @'(((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?))-\\\\d{1,5}', tostring(extract('([0-9]+\\\\\\\\.[0-9]+\\\\\\\\.[0-9]+)-[0-9]+', 1, ClientIP)),\\n ClientIP matches regex @'((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)', ClientIP, \\n ClientIP matches regex @'\\\\[((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\d{1,3}(?:\\\\.\\\\d{1,3}){3})\\\\]-\\\\d{1,5}', tostring(extract('\\\\\\\\[((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\\\\\d{1,3}(?:\\\\\\\\.\\\\\\\\d{1,3}){3})\\\\\\\\]-[0-9]+', 1, ClientIP)),\\n ClientIP matches regex @'\\\\[((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\d{1,3}(?:\\\\.\\\\d{1,3}){3})\\\\]', tostring(extract('\\\\\\\\[((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\\\\\d{1,3}(?:\\\\\\\\.\\\\\\\\d{1,3}){3})\\\\\\\\]', 1, ClientIP)), \\n ClientIP matches regex @'((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\d{1,3}(?:\\\\.\\\\d{1,3}){3})-\\\\d{1,5}', tostring(extract('((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\\\\\d{1,3}(?:\\\\\\\\.\\\\\\\\d{1,3}){3})-[0-9]+', 1, ClientIP)),\\n ClientIP matches regex @'((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\\\d{1,3}(?:\\\\.\\\\d{1,3}){3})', ClientIP,\\n \\\"\\\")\\n | where isnotempty(JoinedOnIp)\\n | extend OfficeTimeStamp = ElevationTime, UserPrincipalName = UserId\\n) on JoinedOnIp\\n// Rare and risky operations only happen within a certain time range of the successful sign-in\\n| where OfficeTimeStamp >= successSigninStart and datetime_diff('day', OfficeTimeStamp, successSigninEnd) <= timeBuffer\\n| extend AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"JoinedOnIp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"ApplicationId\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Collection\"],\"displayName\":\"High risk Office operation conducted by IP Address that recently attempted to log into a disabled account\",\"description\":\"It is possible that a disabled user account is compromised and another account on the same IP is used to perform operations that are not typical for that user.\\n The query filters the SigninLogs for entries where ResultType is indicates a disabled account and the TimeGenerated is within a defined time range.\\n It then summarizes these entries by IPAddress and AppId, calculating various statistics such as number of login attempts, distinct UPNs, App IDs etc and joins these results with another set of results from SigninLogs, filtering for entries with less than normal number of successful sign-ins.\\n It then filters out entries where there were no successful sign-ins or where successful sign-ins did not occur within the same lookback period as the failed sign-ins, later projecting relevant fields by the count of login attempts, and expands the set of successful sign-ins into individual events.\\n Finally, it joins these results with entries from OfficeActivity where certain operations deemed rare and high risk have been performed, ensuring their occurrance within a certain time range of the successful sign-ins.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where SourceIp in (IPList) or Fqdn in (IPList)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = Fqdn\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where SourceIp in (IPList) or QueryName in (IPList)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == '4688'\\n| where CommandLine has_any (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where EventID == '4688' and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where ProviderName == 'MDATP'\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256, FileHashType = \\\"SHA256\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Aqua Blizzard AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security Alert table for MDATP hits related to the Aqua Blizzard actor\",\"lastUpdatedDateUTC\":\"2023-07-18T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let oneDriveCalls = dynamic(['graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content','graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content']);\\nlet oneDriveCallsRegex = dynamic([@'graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content',@'graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content']);\\nCommonSecurityLog\\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/186970ee-5001-41c1-8c73-3178f75ce96a\",\"name\":\"186970ee-5001-41c1-8c73-3178f75ce96a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let Europium_threats = dynamic([\\\"TrojanDropper:ASP/WebShell!MSR\\\", \\\"Trojan:Win32/BatRunGoXml\\\", \\\"DoS:Win64/WprJooblash\\\", \\\"Ransom:Win32/Eagle!MSR\\\", \\\"Trojan:Win32/Debitom.A\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Europium_threats) or ThreatFamilyName in~ (Europium_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))\\n| extend HostNameDomain = iff(CompromisedEntity != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Europium actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Europium actor. \\nIn Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government \",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\",\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| where SessionIssuerUserName !contains \\\"AWSReservedSSO\\\"\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\n UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"NRT Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine\\n| extend Name=tostring(split(SubjectUserName, \\\"@\\\")[0]), UPNSuffix=tostring(split(SubjectUserName, \\\"@\\\")[1])\\n| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Executed from Non-Default Directory\",\"description\":\"The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * '(' DNSName ')' * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = 'Chia crypto IOC detected'\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, File = tostring(split(Image, '\\\\\\\\', -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| extend FilePath = replace_string(Image, File, '')\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost\\n),\\n(AZFWApplicationRule\\n| where isnotempty (Fqdn)\\n| where Fqdn has_any (domains)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = Fqdn\\n| extend IPEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (domains) or SourceIp in (IPList)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = QueryName\\n| extend IPEntity = SourceIp\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * 'SHA256=' SHA256 '\\\",' *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\\\\\\\', -1)[-1]), FileHashAlgo = 'SHA256'\\n| extend FilePath = replace_string(Image, File, '')\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashAlgo = 'SHA256', Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\\\\\\\', -1)[-1]), FileHashAlgo = 'SHA256'\\n| extend FilePath= replace_string(Image, File, '')\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')\\n),\\n(SecurityEvent\\n| where EventID == '4688'\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, '\\\\\\\\', -1)[-1])\\n| extend FilePath = replace_string(NewProcessName, File, '')\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/93a25f10-593d-4c57-a752-a8a75f031425\",\"name\":\"93a25f10-593d-4c57-a752-a8a75f031425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let baseline_time = 14d;\\nlet detection_time = 1d;\\nDynamics365Activity\\n| where TimeGenerated between(ago(baseline_time)..ago(detection_time-1d))\\n| extend Message = tostring(split(OriginalObjectId, ' ')[0])\\n| where Message =~ \\\"RetrieveMultiple\\\"\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| summarize sum(QueryCount) by UserId\\n| extend HistoricalBaseline = sum_QueryCount\\n| join (Dynamics365Activity\\n| where TimeGenerated > ago(detection_time)\\n| extend Message = tostring(split(OriginalObjectId, ' ')[0])\\n| where Message =~ \\\"RetrieveMultiple\\\"\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| summarize sum(QueryCount) by UserId\\n| extend CurrentExportRate = sum_QueryCount) on UserId\\n| where CurrentExportRate > HistoricalBaseline\\n| project UserId, HistoricalBaseline, CurrentExportRate\\n| join kind=inner(Dynamics365Activity\\n| where TimeGenerated > ago(detection_time)\\n| extend Message = tostring(split(OriginalObjectId, ' ')[0])\\n| where Message =~ \\\"RetrieveMultiple\\\"\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))) on UserId\\n| project TimeGenerated, UserId, QueryCount, UserAgent, Message, ClientIP, HistoricalBaseline, CurrentExportRate, CorrelationId, CrmOrganizationUniqueName, Query\\n| summarize QuerySizes = make_set(QueryCount), MostRecentQuery = max(TimeGenerated), IPs = make_set(ClientIP), UserAgents = make_set(UserAgent), make_set(Query) by UserId, CrmOrganizationUniqueName, HistoricalBaseline, CurrentExportRate\\n| extend timestamp = MostRecentQuery, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Dynamics 365 - User Bulk Retrieval Outside Normal Activity\",\"description\":\"This query detects users retrieving significantly more records from Dynamics 365 than they have in the past 2 weeks. This could indicate potentially unauthorized access to data within Dynamics 365.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'proxylogs'\\n| where DvcAction =~ 'Allowed'\\n| where UrlOriginal matches regex @'\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*'\\n| project TimeGenerated, SrcIpAddr, Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Identities\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3705158d-e008-49c9-92dd-e538e1549090\",\"name\":\"3705158d-e008-49c9-92dd-e538e1549090\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let Zinc_threats = dynamic([\\\"Trojan:Win32/ZetaNile.A\\\", \\\"Trojan:Win32/EventHorizon.A\\\", \\\"Trojan:Win32/FoggyBrass.A\\\", \\\"Trojan:Win32/FoggyBrass.B\\\", \\\"Trojan:Win32/PhantomStar.A\\\",\\\"Trojan:Win32/PhantomStar.C\\\",\\\"TrojanDropper:Win32/PhantomStar.A\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Zinc_threats) or ThreatFamilyName in~ (Zinc_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(CompromisedEntity, '.'), 1, -1), '.'))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Zinc actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Zinc threat actor. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\",\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace's geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.7\",\"severity\":\"Low\",\"query\":\"REDACTED\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources.\\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet recycle_bin_paths = dynamic([@\\\":\\\\RECYCLER\\\", @\\\":\\\\$RECYCLE.BIN\\\"]);\\nlet ProcessCreationEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688 and EventData has_any (procList) and EventData has_any (recycle_bin_paths)\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Process=tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine has_any (recycle_bin_paths)\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"The query detects Windows binaries that can be used for executing malware and have been hidden in the recycle bin.\\nThe list of these binaries is sourced from https://lolbas-project.github.io/\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2024-07-16T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.7\",\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\n_Im_NetworkSession(eventresult='Failure')\\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count > threshold\\n| extend timestamp = TimeGenerated, threshold\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"Excessive number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This rule identifies a single source that generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"AzureNSG\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"AIVectraStream\",\"dataTypes\":[\"VectraStream\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoMeraki\",\"dataTypes\":[\"Syslog\",\"CiscoMerakiNativePoller\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"2.0.3\",\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"192\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv24\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where OperationNameValue in~ (operationList)\\n| where ActivityStatusValue startswith \\\"Accept\\\"\\n| where Properties has 'vmSize'\\n| extend parsed_property= parse_json(tostring((parse_json(Properties).responseBody))).properties\\n| extend vmSize = tostring((parsed_property.hardwareProfile).vmSize)\\n| mv-apply token=tokens to typeof(string) on (where vmSize contains token)\\n| extend ComputerName = tostring((parsed_property.osProfile).computerName)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"ComputerName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure.\\nAn adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes.\\nFor Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated > ago(lbperiod)\\n| where EventType == 'message'\\n| where NetworkDirection == 'outbound'\\n| where SrcUserUpn != ''\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == 'message'\\n| where NetworkDirection == 'outbound'\\n| extend isProtected = todynamic(MsgParts)[0]['isProtected']\\n| extend mimePgp = todynamic(MsgParts)[0]['detectedMime']\\n| where isProtected == 'true' or mimePgp == 'application/pgp-encrypted'\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let locationThreshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName =~ \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location,100), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations > locationThreshold\\n| extend timestamp = BurstStartTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This detection triggers when there is a Signin burst from multiple locations in GitHub (Entra ID SSO).\\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. \",\"lastUpdatedDateUTC\":\"2024-01-04T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in (SunburstMD5) or TargetFileMD5 in (SupernovaMD5)\\n| extend AccountName = tostring(split(User, @'\\\\')[1]), AccountNTDomain = tostring(split(User, @'\\\\')[0])\\n| extend AlgorithmType = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DvcDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmType\"},{\"identifier\":\"Value\",\"columnName\":\"TargetFileMD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1baaaf00-655f-4de9-8ff8-312e902cda71\",\"name\":\"1baaaf00-655f-4de9-8ff8-312e902cda71\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let known_locations = (\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location);\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated > ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend City = tostring(parse_json(LocationDetails).city)\\n | extend State = tostring(parse_json(LocationDetails).state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(Place) by ServicePrincipalName, Location\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Service Principal Authentication Attempt from New Country\",\"description\":\"Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations above which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet AzureBuiltInRole = externaldata(Role:string,RoleDescription:string,ID:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/AzureBuiltInRole.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\nlet RoleAssignedActivity = createRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, bin(TimeGenerated, 1d)\\n| where count_ >= alertOperationThreshold\\n// Returns all the records from the right side that don't have matches from the left.\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated > ago(endtime)\\n| extend parsed_property = tostring(parse_json(Properties).requestbody)\\n| extend PrincipalId = case(parsed_property has_cs 'PrincipalId',parse_json(parsed_property).Properties.PrincipalId, parsed_property has_cs 'principalId',parse_json(parsed_property).properties.principalId,\\\"\\\")\\n| extend PrincipalType = case(parsed_property has_cs 'PrincipalType',parse_json(parsed_property).Properties.PrincipalType, parsed_property has_cs 'principalType',parse_json(parsed_property).properties.principalType, \\\"\\\")\\n| extend Scope = case(parsed_property has_cs 'Scope',parse_json(parsed_property).Properties.Scope, parsed_property has_cs 'scope',parse_json(parsed_property).properties.scope,\\\"\\\")\\n| extend RoleAddedDetails = case(parsed_property has_cs 'RoleDefinitionId',parse_json(parsed_property).Properties.RoleDefinitionId,parsed_property has_cs 'roleDefinitionId',parse_json(parsed_property).properties.roleDefinitionId,\\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup, PrincipalId, PrincipalType, Scope, RoleAddedDetails\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress;\\nlet RoleAssignedActivitywithRoleDetails = RoleAssignedActivity\\n| extend RoleAssignedID = tostring(split(RoleAddedDetails, \\\"/\\\")[-1])\\n// Returns all matching records from left and right sides.\\n| join kind = inner (AzureBuiltInRole \\n) on $left.RoleAssignedID == $right.ID;\\nlet CallerIPCountSummary = RoleAssignedActivitywithRoleDetails | summarize AssignmentCountbyCaller = count() by Caller, CallerIpAddress;\\nlet RoleAssignedActivityWithCount = RoleAssignedActivitywithRoleDetails | join kind = inner (CallerIPCountSummary | project Caller, AssignmentCountbyCaller, CallerIpAddress) on Caller, CallerIpAddress;\\nRoleAssignedActivityWithCount\\n| summarize arg_max(StartTimeUtc, *) by PrincipalId, RoleAssignedID\\n// \\tReturns all the records from the left side and only matching records from the right side.\\n| join kind = leftouter( IdentityInfo\\n| summarize arg_max(TimeGenerated, *) by AccountObjectId\\n) on $left.PrincipalId == $right.AccountObjectId\\n// Check if assignment count is greater than the threshold.\\n| where AssignmentCountbyCaller >= alertOperationThreshold\\n| project ActivityTimeStamp, OperationNameValue, Caller, CallerIpAddress, PrincipalId, RoleAssignedID, RoleAddedDetails, Role, RoleDescription, AccountUPN, AccountCreationTime, GroupMembership, UserType, ActivityStatusValue, ResourceGroup, PrincipalType, Scope, CorrelationId, timestamp, AccountCustomEntity, IPCustomEntity, AssignmentCountbyCaller\\n| extend Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on Azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.4\",\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.8\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| where TimeGenerated > ago(1d)\\n| where ProductName == \\\"Azure Active Directory Identity Protection\\\"\\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| mv-apply EntityAccount=todynamic(Entities) on\\n(\\nwhere EntityAccount.Type == \\\"account\\\"\\n| extend AadTenantId = tostring(EntityAccount.AadTenantId), AadUserId = tostring(EntityAccount.AadUserId)\\n)\\n| mv-apply EntityIp=todynamic(Entities) on\\n(\\nwhere EntityIp.Type == \\\"ip\\\"\\n| extend IpAddress = tostring(EntityIp.Address)\\n)\\n| join kind=inner (\\nIdentityInfo\\n| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName\\n| extend UserAccount = AccountUPN\\n| extend UserName = AccountDisplayName\\n| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)\\n| project AccountTenantId, AccountObjectId, UserAccount, UserName\\n)\\non\\n$left.AadTenantId == $right.AccountTenantId,\\n$left.AadUserId == $right.AccountObjectId\\n| extend CompromisedEntity = iff(CompromisedEntity == \\\"N/A\\\" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)\\n| project AlertName, AlertSeverity, CompromisedEntity, UserAccount, IpAddress, TimeGenerated, UserName\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue has_any (\\\"/workspaces/computes/delete\\\", \\\"workspaces/delete\\\") \\n| where ActivityStatusValue has_any (\\\"Succeeded\\\", \\\"Success\\\")\\n| project TimeGenerated, ResourceProviderValue, _ResourceId, SubscriptionId, UserAccount=Caller, IpAddress=CallerIpAddress, CorrelationId, OperationId, ResourceGroup, TenantId\\n) on IpAddress, UserAccount\\n| extend AccountName = tostring(split(UserAccount, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserAccount, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"InitialAccess\",\"Impact\"],\"displayName\":\"Workspace deletion activity from an infected device\",\"description\":\"This query will alert on any sign-ins from devices infected with malware in correlation with workspace deletion activity. \\nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, '\\\\\\\\')[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n// AdFind common Flags to check for from various threat actor TTPs\\nor CommandLine has_any (args)\\n| extend AlgorithmType = \\\"SHA256\\\"\\n| extend AccountName = tostring(split(User, @'\\\\')[1]), AccountNTDomain = tostring(split(User, @'\\\\')[0])\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ActingProcessName\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmType\"},{\"identifier\":\"Value\",\"columnName\":\"TargetProcessSHA256\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = column_ifexists(\\\"ResultType\\\", \\\"NoResultType\\\"), \\nrequestUri_s = column_ifexists(\\\"requestUri_s\\\", \\\"None\\\"), \\nidentity_claim_oid_g = column_ifexists(\\\"identity_claim_oid_g\\\", \\\"None\\\"), CallerIPAddress = column_ifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), \\nclientInfo_s = column_ifexists(\\\"clientInfo_s\\\", \\\"None\\\"), \\nidentity_claim_upn_s = column_ifexists(\\\"identity_claim_upn_s\\\", \\\"None\\\"),\\nidentity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=make_list(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, identity_claim_upn_s, clientInfo_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = StartTimeUtc\\n| extend Name = tostring(split(identity_claim_upn_s,'@',0)[0]), UPNSuffix = tostring(split(identity_claim_upn_s,'@',1)[0]), AadUserId = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue =~ 'Administrative'\\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\\n| where _ResourceId has 'AdFederationService'\\n| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/servicemembers/action'\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Microsoft Entra ID Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Microsoft Entra ID Hybrid Health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-premises AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/60f31001-018a-42bf-8045-a92e1f361b7b\",\"name\":\"60f31001-018a-42bf-8045-a92e1f361b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Define a variable 'AwsAlert' to collect Unauthorized user access alerts from AWS GuardDuty table\\nlet AwsAlert = materialize (\\n AWSGuardDuty\\n | where ActivityType has_any (\\\"UnauthorizedAccess:IAMUser/TorIPCaller\\\", \\\"UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom\\\", \\n \\\"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS\\\", \\\"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS\\\",\\n \\\"UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B\\\",\\\"UnauthorizedAccess:IAMUser/MaliciousIPCaller\\\")\\n | extend\\n AWSAlertId = Id, \\n AWSAlertTitle = Title,\\n AWSAlertDescription = Description,\\n AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),\\n AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),\\n AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),\\n InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),\\n AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,\\n AWSAlertTime = TimeCreated,\\n AWSAlertLink= tostring(strcat('https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=',Id)),\\n Severity = \\n case (\\n Severity >= 7.0, \\\"High\\\",\\n Severity between (4.0 .. 6.9), \\\"Medium\\\",\\n Severity between (1.0 .. 3.9), \\\"Low\\\",\\n \\\"Unknown\\\")\\n | mv-apply AIPCall = AWSTargetingService on \\n ( \\n where AIPCall has \\\"name\\\" \\n | extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall[\\\"count\\\"])\\n ) \\n | distinct\\n AWSAlertTime,\\n ActivityType,\\n Severity,\\n AWSAlertId,\\n AWSAlertTitle,\\n AWSAlertDescription,\\n AWSAlertLink,\\n Arn,\\n AWSresourceType,\\n AWSNetworkEntity,\\n AWSAlertUserNameEntity,\\n InstanceType,\\n APICallName,\\n APICallCount \\n );\\n // Define a variable 'Azure_sigin' to collect Azure portal Signing activity from SigninLogs Table\\n let Azure_sigin = materialize (SigninLogs\\n | where AppDisplayName == \\\"Azure Portal\\\"\\n | where isnotempty(OriginalRequestId)\\n | summarize \\n totalAzureLoginEventId = dcount(OriginalRequestId), \\n AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0), \\n AzureSuccessfulEventsCount = dcountif(OriginalRequestId, ResultType == 0),\\n AzureSetOfFailedEvents = makeset(iff(ResultType != 0, OriginalRequestId, \\\"\\\"), 5), \\n AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, \\\"\\\"), 5) \\n by \\n IPAddress, \\n UserPrincipalName, \\n bin(TimeGenerated, 1min), \\n UserAgent,\\n ConditionalAccessStatus,\\n OperationName,\\n RiskDetail,\\n AuthenticationRequirement,\\n ClientAppUsed \\n // Extracting the name and UPN suffix from UserPrincipalName\\n | extend\\n Name = tostring(split(UserPrincipalName, \\\"@\\\")[0]),\\n UPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n );\\n // Join 'AwsAlert' and 'Azure_sigin' on the AWS Network Entity and Azure IP Address\\n AwsAlert\\n | join kind=inner Azure_sigin on $left.AWSNetworkEntity == $right.IPAddress\",\"customDetails\":{\"AWSAlertUserName\":\"AWSAlertUserNameEntity\",\"AWSArn\":\"Arn\",\"AWSresourceType\":\"AWSresourceType\",\"AWSInstanceType\":\"InstanceType\",\"AWSAPICallName\":\"APICallName\",\"AWSAPICallCount\":\"APICallCount\",\"AzureUserAgent\":\"UserAgent\",\"AzureUser\":\"UserPrincipalName\",\"AzureClientAppUsed\":\"ClientAppUsed\",\"AzConditionalAccess\":\"ConditionalAccessStatus\",\"AzureOperationName\":\"OperationName\",\"AzureRiskDetail\":\"RiskDetail\",\"AzAuthRequirement\":\"AuthenticationRequirement\",\"alertSeverity\":\"Severity\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in Azure Singins with {{UserPrincipalName}}\",\"alertDescriptionFormat\":\" This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description '{{AWSAlertDescription}}' with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \\n\\n AWS ALert Link : '{{AWSAlertLink}}' \\n\\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"Severity\"},\"tactics\":[\"CredentialAccess\",\"Exfiltration\",\"Discovery\"],\"displayName\":\"Unauthorized user access across AWS and Azure\",\"description\":\"\\nThis detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The ditection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources.\\n\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| where ProofpointPOD_TimeGenerated < ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5c847e47-0a07-4c01-ab99-5817ad6cb11e\",\"name\":\"5c847e47-0a07-4c01-ab99-5817ad6cb11e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// Materialize AWS GuardDuty findings\\nlet AwsAlert = materialize (\\n AWSGuardDuty\\n // Filter for specific activity types in AWS GuardDuty\\n | where ActivityType has_any (\\n \\\"Backdoor:EC2/DenialOfService.UnusualProtocol\\\",\\n \\\"CredentialAccess:Kubernetes/MaliciousIPCaller\\\",\\n \\\"CredentialAccess:Kubernetes/SuccessfulAnonymousAccess\\\",\\n \\\"CredentialAccess:Kubernetes/TorIPCaller\\\",\\n \\\"CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce\\\",\\n \\\"CredentialAccess:RDS/TorIPCaller.FailedLogin\\\",\\n \\\"CredentialAccess:RDS/TorIPCaller.SuccessfulLogin\\\",\\n \\\"Discovery:Kubernetes/MaliciousIPCaller\\\",\\n \\\"Recon:IAMUser/MaliciousIPCaller.Custom\\\",\\n \\\"UnauthorizedAccess:EC2/TorClient\\\",\\n \\\"UnauthorizedAccess:IAMUser/TorIPCaller\\\",\\n \\\"UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom\\\",\\n \\\"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS\\\",\\n \\\"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS\\\",\\n \\\"UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B\\\"\\n )\\n // Extract and transform AWS GuardDuty attributes\\n | extend\\n AWSAlertId = Id, \\n AWSAlertTitle = Title,\\n AWSAlertDescription = Description,\\n AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),\\n AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),\\n AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),\\n InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),\\n AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,\\n AWSAlertTime = TimeCreated,\\n AWSAlertLink= tostring(strcat('https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=', Id)),\\n Severity = \\n case (\\n Severity >= 7.0,\\n \\\"High\\\",\\n Severity between (4.0 .. 6.9),\\n \\\"Medium\\\",\\n Severity between (1.0 .. 3.9),\\n \\\"Low\\\",\\n \\\"Unknown\\\"\\n)\\n // Extract API call details and count\\n | mv-apply AIPCall = AWSTargetingService on \\n ( \\n where AIPCall has \\\"name\\\" \\n | extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall[\\\"count\\\"])\\n ) \\n // Select distinct attributes for further analysis\\n | distinct\\n AWSAlertTime,\\n ActivityType,\\n Severity,\\n AWSAlertId,\\n AWSAlertTitle,\\n AWSAlertDescription,\\n AWSAlertLink,\\n Arn,\\n AWSresourceType,\\n AWSNetworkEntity,\\n AWSAlertUserNameEntity,\\n InstanceType,\\n APICallName,\\n APICallCount \\n );\\n// Materialize GCP Audit Logs related to VM instance creation\\nlet GCPVMActivity= materialize(\\n GCPAuditLogs \\n // Filter for Compute Engine instances insertions\\n | where ServiceName == \\\"compute.googleapis.com\\\" and MethodName endswith \\\"instances.insert\\\"\\n // Extract and transform relevant GCP Audit Log attributes\\n | extend\\n GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),\\n GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\\n GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),\\n VMDetails= parse_json(AuthorizationInfo),\\n VMStatus = tostring(parse_json(Response).status),\\n VMOperation=tostring(parse_json(Response).operationType),\\n VMName= tostring(parse_json(Request).name),\\n VMDescription= tostring(parse_json(Request).description),\\n VMType = tostring(split(parse_json(Request).machineType, \\\"/\\\")[-1]),\\n Tags= tostring(parse_json(Request).tags),\\n RequestJS = parse_json(Request)\\n // Filter out service account-related activities and private IP addresses\\n | where GCPUserUPN !has \\\"gserviceaccount.com\\\"\\n | extend Name = tostring(split(GCPUserUPN, \\\"@\\\")[0]), UPNSuffix = tostring(split(GCPUserUPN, \\\"@\\\")[1])\\n | where VMOperation == \\\"insert\\\" and isnotempty(GCPUserIp) and GCPUserIp != \\\"private\\\"\\n // Select relevant attributes for further analysis\\n | project\\n GCPOperationTime=TimeGenerated,\\n VMName,\\n VMStatus,\\n MethodName,\\n GCPUserUPN,\\n ProjectId,\\n GCPUserIp,\\n GCPUserUA,\\n VMOperation,\\n VMType,\\n Name,\\n UPNSuffix\\n );\\n// Join AWS and GCP activities based on matching IP addresses\\nAwsAlert\\n| join kind= inner (GCPVMActivity)\\n on\\n $left.AWSNetworkEntity == $right.GCPUserIp\",\"customDetails\":{\"AWSAlertUserName\":\"AWSAlertUserNameEntity\",\"AWSArn\":\"Arn\",\"AWSresourceType\":\"AWSresourceType\",\"AWSInstanceType\":\"InstanceType\",\"AWSAPICallName\":\"APICallName\",\"AWSAPICallCount\":\"APICallCount\",\"GCPUserAgent\":\"GCPUserUA\",\"GCPVMName\":\"VMName\",\"GCPProjectId\":\"ProjectId\",\"GCPVMType\":\"VMType\",\"CorrelationWith\":\"GCPAuditLogs\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GCPUserIp\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in GCP compute activity with {{GCPUserUPN}}\",\"alertDescriptionFormat\":\" This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description '{{AWSAlertDescription}}' assocated with GCP compute activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \\n\\n AWS ALert Link : '{{AWSAlertLink}}' \\n\\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"Severity\"},\"tactics\":[\"InitialAccess\",\"Execution\",\"Persistence\",\"PrivilegeEscalation\",\"CredentialAccess\",\"Discovery\",\"LateralMovement\"],\"displayName\":\"Cross-Cloud Suspicious Compute resource creation in GCP\",\"description\":\"\\nThis detection identifies potential suspicious activity across multi-cloud environments by combining AWS GuardDuty findings with GCP Audit Logs. It focuses on AWS activities related to unauthorized access, credential abuse, and unusual behaviors, as well as GCP instances creation with non-Google service account users. The query aims to provide a comprehensive view of cross-cloud security incidents for proactive threat detection and response.\\n\",\"lastUpdatedDateUTC\":\"2023-10-06T00:00:00Z\",\"createdDateUTC\":\"2023-10-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"GCPAuditLogsDefinition\",\"dataTypes\":[\"GCPAuditLogs\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * 'CommandLine\\\">' CommandLine \\\"<\\\" * 'ParentCommandLine\\\">' ParentCommandLine \\\"<\\\" *\\n| where ParentCommandLine =~ \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k DcomLaunch\\\" and CommandLine =~ \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe -Embedding\\\"\\n| parse EventData with * 'ProcessGuid\\\">' ProcessGuid \\\"<\\\" * 'Image\\\">' Image \\\"<\\\" * 'Description\\\">' Description \\\"<\\\" * 'CurrentDirectory\\\">' CurrentDirectory \\\"<\\\" * 'User\\\">' User \\\"<\\\" * 'LogonGuid\\\">' LogonGuid \\\"<\\\" * 'ParentProcessGuid\\\">' ParentProcessGuid \\\"<\\\" * 'ParentImage\\\">' ParentImage \\\"<\\\" * 'ParentCommandLine\\\">' ParentCommandLine \\\"<\\\" * 'ParentUser\\\">' ParentUser \\\"<\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\\n| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Lateral Movement via DCOM\",\"description\":\"This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour\\nlet ioc_lookBack = 14d; // Look back 14 days\\n// Create a list of top-level domains (TLDs) from the threat feed data for later validation\\nlet SecurityLog = materialize(\\n CommonSecurityLog\\n // Filter common security logs based on the specified time range\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n | where DeviceEventClassID =~ 'url'\\n // Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n // Extract the domain from RequestURL, if not present, extract it from AdditionalExtensions\\n | extend PA_Url = column_ifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\\\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | extend Domain = trim('\\\"', tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n);\\nlet LogDomains = SecurityLog | distinct Domain | summarize make_list(Domain);\\n// Retrieve threat intelligence indicators within the specified time range\\nlet Domain_Indicators = materialize(\\n ThreatIntelligenceIndicator\\n | where isnotempty(DomainName)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n | extend TI_DomainEntity = tolower(DomainName)\\n | where TI_DomainEntity in (LogDomains)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now());\\n// Join threat intelligence indicators with common security logs\\nDomain_Indicators | join kind=innerunique (SecurityLog) on $left.TI_DomainEntity == $right.Domain\\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod, Type, TI_DomainEntity\\n| extend timestamp = CommonSecurityLog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"PA_Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to PaloAlto CommonSecurityLog\",\"description\":\"Identifies a match in PaloAlto CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'inbound'\\n| where FilterDisposition !in ('reject', 'discard')\\n| where FilterModulesSpamScoresOverall == '100'\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ec3a7f9-9f55-4be3-aeb6-9188f91b278e\",\"name\":\"8ec3a7f9-9f55-4be3-aeb6-9188f91b278e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet user_accounts = \\\"(([a-zA-Z]{1,})\\\\\\\\.([a-zA-Z]{1,}))@.*\\\";\\nlet known_useragents = dynamic([]);\\nDynamics365Activity\\n| where TimeGenerated between(ago(lookback)..ago(timeframe))\\n| where isnotempty(UserAgent)\\n| summarize by UserAgent, UserId\\n| join kind = rightanti (Dynamics365Activity\\n| where TimeGenerated > ago(timeframe)\\n| where isnotempty(UserAgent)\\n| where UserAgent !in~ (known_useragents)\\n| where UserAgent !hasprefix \\\"azure-logic-apps\\\" and UserAgent !hasprefix \\\"PowerApps\\\"\\n| where UserId matches regex user_accounts)\\non UserAgent, UserId\\n// Uncomment this section to exclude user agents with a rendering engine, indicating browsers.\\n//| join kind = leftanti(\\n//Dynamics365Activity\\n//| where TimeGenerated between(ago(lookback)..ago(timeframe))\\n//| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")) on UserAgent\\n| summarize FirstSeen = min(TimeGenerated), IPs = make_set(ClientIP) by UserAgent, UserId\\n| extend timestamp = FirstSeen, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New Dynamics 365 User Agent\",\"description\":\"Detects users accessing Dynamics from a User Agent that has not been seen the 14 days. Has configurable filter for known good user agents such as PowerApps. Also includes optional section to exclude User Agents to indicate a browser being used.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29e99017-e28d-47be-8b9a-c8c711f8a903\",\"name\":\"29e99017-e28d-47be-8b9a-c8c711f8a903\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (_GetWatchlist('VIPUsers') | distinct \\\"User Principal Name\\\");\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend Target = trim(@'\\\"',tolower(tostring(TargetResource.userPrincipalName)))\\n )\\n| where Target in~ (VIPUsers)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, Result, Target\\n| extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT Authentication Methods Changed for VIP Users\",\"description\":\"Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.4\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = \\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack)\\n| extend IoC = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n| where IoC != \\\"NO_IP\\\"\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now();\\nIP_TI\\n| join kind=innerunique // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n(\\n_Im_Dns(starttime=ago(dt_lookBack))\\n| where isnotempty(DnsResponseName)\\n| summarize imDns_mintime=min(TimeGenerated), imDns_maxtime=max(TimeGenerated) by SrcIpAddr, DnsQuery, DnsResponseName, Dvc, EventProduct, EventVendor\\n| extend addresses = extract_all (@'(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)', DnsResponseName)\\n| mv-expand IoC = addresses to typeof(string)\\n)\\non IoC\\n| where imDns_mintime < ExpirationDateTime\\n| project imDns_mintime, imDns_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, LatestIndicatorTime, ExpirationDateTime, ConfidenceScore, SrcIpAddr, IoC, Dvc, EventVendor, EventProduct, DnsQuery, DnsResponseName\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"imDns_mintime\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoC\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The response {{IoC}} to DNS query matched an IoC\",\"alertDescriptionFormat\":\"The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to DNS Events (ASIM DNS schema)\",\"description\":\"This rule identifies DNS requests for which response IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Medium\",\"query\":\"REDACTED\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Microsoft Entra ID application\",\"description\":\"Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same IP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range are bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 1 day\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.7\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nlet OfficeEvents = materialize(\\n OfficeActivity\\n | where isnotempty(UserId)\\n | where TimeGenerated >= ago(dt_lookBack)\\n | where UserId matches regex emailregex\\n | project-rename OfficeActivity_TimeGenerated = TimeGenerated);\\nlet OfficeActivityUPNs = OfficeEvents | distinct UserId = tolower(UserId) | summarize make_list(UserId);\\nThreatIntelligenceIndicator\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated >= ago(ioc_lookBack)\\n| where tolower(EmailSenderAddress) in (OfficeActivityUPNs)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (OfficeEvents) on $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0])\\n| extend timestamp = OfficeActivity_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"[Deprecated] - Known Manganese IP and UserAgent activity\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.6\",\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated >= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| where TimeGenerated >= ago(endtime)\\n| where EventID == 4624\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio > threshold\\n| project StartTime, EndTime, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend AccountName = tostring(split(Account, @\\\"\\\\\\\")[1]), AccountNTDomain = tostring(split(Account, @\\\"\\\\\\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal connection count for the previous 7 days.\\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed.\\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are\\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName))\\n )\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount > threshold;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(InitiatedBy.user.ipAddress)) and tostring(InitiatedBy.user.ipAddress) != 'null', tostring(InitiatedBy.user.ipAddress),\\n isnotempty(tostring(InitiatedBy.app.ipAddress)) and tostring(InitiatedBy.app.ipAddress) != 'null', tostring(InitiatedBy.app.ipAddress),\\n 'Not Available')\\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName)),\\n props = TargetResource.modifiedProperties\\n )\\n| parse props with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy\\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = make_set(Reason,100) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, Name = tolower(tostring(split(InitiatedBy,'@',0)[0])), UPNSuffix = tolower(tostring(split(InitiatedBy,'@',1)[0]))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetResourceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated > ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal > percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIPMax\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername\\n| extend AccountName = tostring(split(SrcUsername, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SrcUsername, \\\"@\\\")[1])\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Execution\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"A host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.
You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend timestamp=TimeGenerated\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingProcessAccountDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| parse EventData with * 'TargetImage\\\">' TargetImage \\\"<\\\" * 'GrantedAccess\\\">' GrantedAccess \\\"<\\\" * 'CallTrace\\\">' CallTrace \\\"<\\\" * \\n| where GrantedAccess =~ \\\"0x1FFFFF\\\" and TargetImage =~ \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse EventData with * 'SourceProcessGUID\\\">' SourceProcessGUID \\\"<\\\" * 'SourceImage\\\">' SourceImage \\\"<\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\\n| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Dumping LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.\\nThese credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials.\\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = materialize (\\n ThreatIntelligenceIndicator\\n | where TimeGenerated >= ago(ioc_lookBack)\\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n | where TI_ipEntity != \\\"NO_IP\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now()\\n);\\nIP_TI\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique \\n(\\n _Im_NetworkSession (starttime=ago(dt_lookBack))\\n | where isnotempty(SrcIpAddr)\\n | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated) by SrcIpAddr, DstIpAddr, Dvc, EventProduct, EventVendor \\n | lookup (IP_TI | project TI_ipEntity, Active) on $left.SrcIpAddr == $right.TI_ipEntity\\n | project-rename SrcMatch = Active\\n | lookup (IP_TI | project TI_ipEntity, Active) on $left.DstIpAddr == $right.TI_ipEntity\\n | project-rename DstMatch = Active\\n | where SrcMatch or DstMatch\\n | extend \\n IoCIP = iff(SrcMatch, SrcIpAddr, DstIpAddr),\\n IoCDirection = iff(SrcMatch, \\\"Source\\\", \\\"Destination\\\")\\n)on $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_mintime < ExpirationDateTime\\n| project imNWS_mintime, imNWS_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SrcIpAddr, DstIpAddr, IoCDirection, IoCIP, Dvc, EventVendor, EventProduct\",\"customDetails\":{\"EventStartTime\":\"imNWS_mintime\",\"EventEndTime\":\"imNWS_maxtime\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A network session {{IoCDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This rule identifies a match Network Sessions for which the source or destination IP address is a known IoC. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"AzureNSG\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"AIVectraStream\",\"dataTypes\":[\"VectraStream\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"CiscoMeraki\",\"dataTypes\":[\"Syslog\",\"CiscoMerakiNativePoller\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.7\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated >= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated < ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient,\\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue,\\nResourceGroup, SubscriptionId\\n| extend Name = tostring(split(Caller, '@', 0)[0]), UPNSuffix = tostring(split(Caller, '@', 1)[0])\\n| extend timestamp = AzureActivity_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n | extend AccountName = tostring(split(TargetAccount, @'\\\\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\\\\')[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\\n modProps = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = modProps on \\n (\\n where Property.displayName =~ \\\"Role.WellKnownObjectName\\\"\\n | extend DisplayName = trim('\\\"',tostring(Property.displayName)),\\n GroupName = trim('\\\"',tostring(Property.newValue))\\n )\\n| extend InitiatingAppId = tostring(InitiatedBy.app.appId)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingAppServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)) \\n| extend InitiatingUserRoles = InitiatedBy.user.roles\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatingAppName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppId, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserRoles, DisplayName, GroupName, TargetUserPrincipalName\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])\\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT User added to Microsoft Entra ID Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in ('0x2','0x100', '0x10', '0x4')\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") and EventData has_any (scriptExtensions) \\n| where EventData has_any ('0x2','0x100', '0x10', '0x4')\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in ('0x2','0x100', '0x10', '0x4')\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"[Deprecated] - Silk Typhoon UM Service writing suspicious file\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != 'UserLoggedIn'\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts > 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible Forest Blizzard attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential Forest Blizzard group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7965f0be-c039-4d18-8ee8-9a6add8aecf3\",\"name\":\"7965f0be-c039-4d18-8ee8-9a6add8aecf3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"REDACTED\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DEV-0270 New User Creation\",\"description\":\"The following query tries to detect creation of a new user using a known DEV-0270 username/password schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/042f2801-a375-4cfd-bd29-041fc7ed88a0\",\"name\":\"042f2801-a375-4cfd-bd29-041fc7ed88a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n//Find risky Signin\\n| where RiskState == \\\"atRisk\\\" and ResultType == 0\\n| extend Signin_Time = TimeGenerated\\n| summarize\\n AppDisplayName=make_set(AppDisplayName),\\n ClientAppUsed=make_set(ClientAppUsed),\\n UserAgent=make_set(UserAgent),\\n CorrelationId=make_set(CorrelationId),\\n Signin_Time= min(Signin_Time),\\n RiskEventTypes=make_set(RiskEventTypes)\\n by\\n ConditionalAccessStatus,\\n IPAddress,\\n IsRisky,\\n ResourceDisplayName,\\n RiskDetail,\\n ResultType,\\n RiskLevelAggregated,\\n RiskLevelDuringSignIn,\\n RiskState,\\n UserPrincipalName=tostring(tolower(UserPrincipalName)),\\n SourceSystem\\n| join kind=inner (\\n CommonSecurityLog\\n | where DeviceVendor has_any (\\\"Palo Alto Networks\\\", \\\"Fortinet\\\", \\\"Check Point\\\", \\\"Zscaler\\\")\\n | where DeviceProduct startswith \\\"FortiGate\\\" or DeviceProduct startswith \\\"PAN\\\" or DeviceProduct startswith \\\"VPN\\\" or DeviceProduct startswith \\\"FireWall\\\" or DeviceProduct startswith \\\"NSSWeblog\\\" or DeviceProduct startswith \\\"URL\\\"\\n | where DeviceAction != \\\"Block\\\"\\n | where isnotempty(RequestURL)\\n | where isnotempty(SourceUserName)\\n | extend SourceUserName = tolower(SourceUserName)\\n | summarize\\n min(TimeGenerated),\\n max(TimeGenerated),\\n Activity=make_set(Activity)\\n by DestinationHostName, DestinationIP, RequestURL, SourceUserName=tostring(tolower(SourceUserName)),DeviceVendor,DeviceProduct\\n | extend 3p_observed_Time= min_TimeGenerated,Name = tostring(split(SourceUserName,\\\"@\\\")[0]),UPNSuffix =tostring(split(SourceUserName,\\\"@\\\")[1]))\\n on $left.IPAddress == $right.DestinationIP and $left.UserPrincipalName == $right.SourceUserName\\n| extend Timediff = datetime_diff('day', 3p_observed_Time, Signin_Time)\\n| where Timediff <= 1 and Timediff >= 0\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DestinationHostName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Risky user signin observed in non-Microsoft network device\",\"description\":\"This content is utilized to identify instances of successful login by risky users, who have been observed engaging in potentially suspicious network activity on non-Microsoft network devices.\",\"lastUpdatedDateUTC\":\"2024-06-14T00:00:00Z\",\"createdDateUTC\":\"2023-05-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/594c653d-719a-4c23-b028-36e3413e632e\",\"name\":\"594c653d-719a-4c23-b028-36e3413e632e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend Name = iif(Actor contains \\\"@\\\", split(Actor, \\\"@\\\")[0], Actor)\\n| extend UPNSuffix = iif(Actor contains \\\"@\\\", split(Actor, \\\"@\\\")[1], \\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Actor\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPaddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@'\\\\[?(::ffff:)?(?P(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\\\\d+))?', dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend From = ParsedParameters.From\\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, From, Operation, RuleName, Parameters\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == 'GET'\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"Persistence\",\"CommandAndControl\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, AccountName = SubjectUserName, AccountNTDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName, SubjectAccount\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| where CommandLine contains \\\".decode('base64')\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection.\\nThe first CommandLine component is looking for Python decoding base64.\\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\"\\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName))\\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated >= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\"\\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName ' (Organization)'\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount > ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_build?definitionId=', DefId),\\nstrcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', DefId))\\n| where CurrentCount >= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount,\\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and not historically included in the allow list Build/Release runs.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.3\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has_any (\\\".decode('base64')\\\", \\\"base64 --decode\\\", \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode('base64')\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName\\n| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend AccountName = tostring(split(SourceUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SourceUserName, \\\"@\\\")[1])\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2024-11-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"name\":\"572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let inviting_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(InitiatingUserPrincipalName)\\n | summarize by InitiatingUserPrincipalName);\\n AuditLogs\\n | where TimeGenerated > ago(1d)\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | where isnotempty(InitiatingUserPrincipalName) and InitiatingUserPrincipalName !in (inviting_users)\\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend TargetAadUserId = tostring(TargetResources[0].id)\\n | extend invitingUser = InitiatingUserPrincipalName, invitedUserPrincipalName = TargetUserPrincipalName\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, Result, TargetUserPrincipalName, TargetAadUserId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Guest Users Invited to Tenant by New Inviters\",\"description\":\"Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts added should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0255b5f-2a3c-4112-8744-e6757af3283a\",\"name\":\"d0255b5f-2a3c-4112-8744-e6757af3283a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P4D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"// You can leave out Anomalies that are already monitored through other Analytics Rules\\n//let _MonitoredRules = dynamic([\\\"TestAlertName\\\"]);\\nlet query_frequency = 1h;\\nlet query_lookback = 3d;\\nAnomalies\\n| where TimeGenerated > ago(query_frequency)\\n//| where not(RuleName has_any (_MonitoredRules))\\n| join kind = leftanti (\\n Anomalies\\n | where TimeGenerated between (ago(query_frequency + query_lookback)..ago(query_frequency))\\n | distinct RuleName\\n) on RuleName\\n| extend Name = tostring(split(UserPrincipalName, \\\"@\\\")[0]), UPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Unusual Anomaly - {{RuleName}}\",\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":\"Tactics\",\"alertSeverityColumnName\":null},\"displayName\":\"Unusual Anomaly\",\"description\":\"Anomaly Rules generate events in the Anomalies table. This scheduled rule tries to detect Anomalies that are not usual, they could be a type of Anomaly that has recently been activated, or an infrequent type. The detected Anomaly should be reviewed, if it is relevant enough, eventually a separate scheduled Analytics Rule could be created specifically for that Anomaly Type, so an alert and/or incident is generated everytime that type of Anomaly happens.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe',\\n 'Microsoft.Identity.Health.Adfs.InsightsService.exe',\\n 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe',\\n 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe',\\n 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe',\\n 'Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe',\\n 'Microsoft.Identity.AadConnect.Health.AadSync.Host.exe',\\n 'Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe',\\n 'miiserver.exe'\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == '4656'\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == 'Key'\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, '\\\\\\\\', -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID == '4656' and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == 'Key'\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, '\\\\\\\\')[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == '4663'\\n| where ObjectType == 'Key'\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, '\\\\\\\\', -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( WindowsEvent\\n| where EventID == '4663' and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == 'Key'\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, '\\\\\\\\')[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != 'Machine'\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend Name = tostring(split(Account, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Microsoft Entra ID Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Microsoft Entra ID Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ac77493-3cae-4840-8634-15fb23f8fb68\",\"name\":\"8ac77493-3cae-4840-8634-15fb23f8fb68\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let BEC_Keywords = dynamic([ 'invoice','payment','paycheck','transfer','bank statement','bank details','closing','funds','bank account','account details','remittance','purchase','deposit',\\\"PO#\\\",\\\"Zahlung\\\",\\\"Rechnung\\\",\\\"Paiement\\\", \\\"virement bancaire\\\",\\\"Bankuberweisung\\\",'hacked','phishing']);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords '}'*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords '}'*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords '}'*\\n| where SubjectContainsWords has_any (BEC_Keywords)\\n or BodyContainsWords has_any (BEC_Keywords)\\n or SubjectOrBodyContainsWords has_any (BEC_Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\\\\\')[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend UserName = split(UserId, '@')[0], DomainName = split(UserId, '@')[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"UserName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"DomainName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious BEC Inbox Rule\",\"description\":\"Often times after the initial compromise in a BEC attack the attackers create inbox rules to delete emails that contain certain keywords related to their BEC attack.\\n This is done so as to limit ability to warn compromised users that they've been compromised. \",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict='replace_source')\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@'\\\\[?(::ffff:)?(?P(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\\\\d+))?', dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount > 1\\n| mv-expand UserId to typeof(string)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"NRT Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.\\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.9\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\n// let ioc_lookBack = 14d;\\n// ThreatIntelligenceIndicator\\n// // Picking up only IOC's that contain the entities we want\\n// | where isnotempty(Url)\\n// | where TimeGenerated >= ago(ioc_lookBack)\\n// | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// | where Active == true and ExpirationDateTime > now()\\n// // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n// | join kind=innerunique (\\n// OfficeActivity\\n// | where TimeGenerated >= ago(dt_lookBack)\\n// //Extract the Url from a number of potential fields\\n// | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n// | where isnotempty(Url)\\n// // Ensure we get a clean URL\\n// | extend Url = tostring(split(Url, ';')[0])\\n// | extend OfficeActivity_TimeGenerated = TimeGenerated\\n// // Project a single user identity that we can use for entity mapping\\n// | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\\n// ) on Url\\n// | where OfficeActivity_TimeGenerated < ExpirationDateTime\\n// | summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\\n// | project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation,\\n// UserType, OfficeWorkload, Parameters, Url, User\\n// | extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(User, '@', 0)[0]), UPNSuffix = tostring(split(User, '@', 1)[0])\\ndatatable() []\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to OfficeActivity Data [Deprecated]\",\"description\":\"This query is Deprecated as its filter conditions will never yield results. This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in OfficeActivity data.\",\"lastUpdatedDateUTC\":\"2024-09-12T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Low\",\"query\":\"// Add or remove operation names below as per your requirements. For operations lists, please refer to https://learn.microsoft.com/en-us/Azure/role-based-access-control/resource-provider-operations#all\\nlet szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\", \\\"Microsoft.Resources/subscriptions/resourceGroups/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue, bin(TimeGenerated,1d)\\n// Returns all the records from the right side that don't have matches from the left.\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated > ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated,100), ActivityStatusValue = make_set(ActivityStatusValue,100), CorrelationIds = make_set(CorrelationId,100), ResourceGroups = make_set(ResourceGroup,100), ResourceIds = make_set(_ResourceId,100), ActivityCountByCallerIPAddress = count()\\nby CallerIpAddress, Caller, OperationNameValue) on CallerIpAddress, Caller, OperationNameValue;\\nRareCaller\\n| extend Name = iif(Caller has '@',tostring(split(Caller,'@',0)[0]),\\\"\\\")\\n| extend UPNSuffix = iif(Caller has '@',tostring(split(Caller,'@',1)[0]),\\\"\\\")\\n| extend AadUserId = iif(Caller !has '@',Caller,\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen caller.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where isnotempty(CommandLine)\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Base64 Encoded Windows Process Command-lines\",\"description\":\"This detection identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.5\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated > ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated > ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress, 1000), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString, 1000) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h)\\n | where HourlyCount > 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc\\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100\\n| where PercentofTotal > percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc\\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId, SourceIPMax, IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"Client_IPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIPMax\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for DNS events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now();\\n// Perform a join between IP indicators and DNS events\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated >= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | mv-expand SingleIP = split(IPAddresses, \\\", \\\") to typeof(string)\\n | extend DNS_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.SingleIP\\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\\n | where DNS_TimeGenerated < ExpirationDateTime\\n // Group the results by IndicatorId and SingleIP, and keep the DNS event with the latest timestamp\\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, SingleIP\\n // Select the desired output fields\\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n | extend timestamp = DNS_TimeGenerated, HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to DnsEvents\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DnsEvents.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f4a28082-2808-4783-9736-33c1ae117475\",\"name\":\"f4a28082-2808-4783-9736-33c1ae117475\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"REDACTED\",\"customDetails\":{\"AwsUser\":\"UserIdentityArn\",\"RiskEventTypes\":\"RiskEventTypes\",\"AzureUser\":\"UserPrincipalName\",\"AWSEventName\":\"EventName\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"High-Risk Cross-Cloud User Impersonation\",\"description\":\"This detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Microsoft Entra ID Signin Logs to pinpoint instances where specific applications, risk levels, and result types align. It then correlates this information with relevant AWS CloudTrail events to identify activities across Azure and AWS environments.\",\"lastUpdatedDateUTC\":\"2023-11-12T00:00:00Z\",\"createdDateUTC\":\"2023-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\",\\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * '(' DNSName ')' *\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList))\\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList)))\\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames)\\n| extend DNSName = Request_Name \\n| extend IPCustomEntity = ClientIP\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames) \\n| extend DNSName = Fqdn \\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Phosphorus group domains/IP\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.2.4\",\"severity\":\"Medium\",\"query\":\"// Set threshold for the number of downloads/uploads from a new user agent\\nlet threshold = 5;\\n// Define constants for SharePoint file operations\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\n// Define the historical activity for analysis\\nlet starttime = 14d; // Define the start time for historical data (14 days ago)\\nlet endtime = 1d; // Define the end time for historical data (1 day ago)\\n// Extract the base events for analysis\\nlet Baseevents =\\n OfficeActivity\\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where RecordType =~ szSharePointFileOperation\\n | where Operation in~ (szOperations)\\n | where isnotempty(UserAgent);\\n// Identify frequently occurring user agents\\nlet FrequentUA = Baseevents\\n | summarize FUACount = count() by UserAgent, RecordType, Operation\\n | where FUACount >= threshold\\n | distinct UserAgent;\\n// Calculate a user baseline for further analysis\\nlet UserBaseLine = Baseevents\\n | summarize Count = count() by UserId, Operation, Site_Url\\n | summarize AvgCount = avg(Count) by UserId, Operation, Site_Url;\\n// Extract recent activity for analysis\\nlet RecentActivity = OfficeActivity\\n | where TimeGenerated > ago(endtime)\\n | where RecordType =~ szSharePointFileOperation\\n | where Operation in~ (szOperations)\\n | where isnotempty(UserAgent)\\n | where UserAgent in~ (FrequentUA)\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OfficeObjectIdCount = dcount(OfficeObjectId), OfficeObjectIdList = make_set(OfficeObjectId), UserAgentSeenCount = count() \\n by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url;\\n// Analyze user behavior based on baseline and recent activity\\nlet UserBehaviorAnalysis = UserBaseLine\\n | join kind=inner (RecentActivity) on UserId, Operation, Site_Url\\n | extend Deviation = abs(UserAgentSeenCount - AvgCount) / AvgCount;\\n// Filter and format results for specific user behavior analysis\\nUserBehaviorAnalysis\\n | where Deviation > 25\\n | extend UserIdName = tostring(split(UserId, '@')[0]), UserIdUPNSuffix = tostring(split(UserId, '@')[1])\\n | project-reorder StartTime, EndTime, UserAgent, UserAgentSeenCount, UserId, ClientIP, Site_Url\\n | project-away Site_Url1, UserId1, Operation1\\n | order by UserAgentSeenCount desc, UserAgent asc, UserId asc, Site_Url asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"UserIdName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserIdUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Site_Url\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies anomalies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5) and deviation (default is 25).\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0101e08d-99cd-4a97-a9e0-27649c4369ad\",\"name\":\"0101e08d-99cd-4a97-a9e0-27649c4369ad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// In User & Groups and in Applications, the following \\\"AccessType\\\" values in columns PremodifiedOutboundSettings and ModifiedOutboundSettings are interpreted accordingly\\n// When Access Type in premodified outbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified outbound settings value was 2 that means that the initial access was blocked.\\n// When Access Type in modified outbound settings value is 1 that means that now access is allowed. When Access Type in modified outbound settings value is 2 that means that now access is blocked.\\nAuditLogs\\n| where OperationName has \\\"Update a partner cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"b2bDirectConnectOutbound\\\"\\n | extend PremodifiedOutboundSettings = trim('\\\"',tostring(Property.oldValue)),\\n ModifiedOutboundSettings = trim(@'\\\"',tostring(Property.newValue))\\n )\\n| where PremodifiedOutboundSettings != ModifiedOutboundSettings\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Outbound Direct Settings Changed\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Outbound Direct Settings are changed for \\\"Users & Groups\\\" and for \\\"Applications\\\".\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8955c0fb-3408-47b0-a3b9-a1faec41e427\",\"name\":\"8955c0fb-3408-47b0-a3b9-a1faec41e427\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^']*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types on an Exchange Server. This could indicate attempted deployment of webshells. \\nThis query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nThis log is commonly found at C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\Logging\\\\OABGeneratorLog on the Exchange server. Details on collecting custom logs into Sentinel\\ncan be found here: https://learn.microsoft.com/azure/sentinel/connect-custom-logs\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"// Define the lookback periods for time-based filters\\nlet dt_lookBack = 1h; // Look back 1 hour for DNS events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to domains\\nlet Domain_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without domain names\\n | where isnotempty(DomainName)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now()\\n | extend TI_DomainEntity = DomainName;\\n// Create a list of TLDs in our threat feed for later validation\\nlet maxListSize = 100000; // Define the maximum allowed size for each list\\nlet list_tlds = Domain_Indicators\\n | extend parts = split(DomainName, '.')\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | project tld\\n | summarize make_list(tld, maxListSize);\\n// Perform a join between domain indicators and DNS events to identify potential malicious activity\\nDomain_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated > ago(dt_lookBack)\\n // Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, '.')\\n | extend tld = parts[(array_length(parts)-1)]\\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n ) on $left.TI_DomainEntity==$right.Name\\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\\n | where DNS_TimeGenerated < ExpirationDateTime\\n // Group the results by IndicatorId and Name, and keep the DNS event with the latest timestamp\\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, Name\\n // Select the desired output fields\\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType, Type, TI_DomainEntity\\n // Extract hostname and DNS domain from the Computer field\\n | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\\n // Rename the timestamp field\\n | extend timestamp = DNS_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1080fc1-13d1-479b-8340-255f0290d96c\",\"name\":\"a1080fc1-13d1-479b-8340-255f0290d96c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ 'Update Application'\\n | where TargetResources has \\\"AppAddress\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all('\\\"Address\\\":([^,]*)', tostring(NewValue))\\n | extend OldUrls = extract_all('\\\"Address\\\":([^,]*)', tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) > 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend AddedBy = iif(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName)\\n | extend TargetAppName = tostring(TargetResources.displayName)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, TargetAppName, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, AddedUrls, AddedBy, UserAgent\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application Redirect URL Update\",\"description\":\"Detects the redirect URL of an app being changed.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where isnotempty(FileHashValue)\\n| where TimeGenerated >= ago(ioc_lookBack)\\n| extend FileHashValue = toupper(FileHashValue)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique ( union isfuzzy=true\\n (SecurityEvent | where TimeGenerated >= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated >= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n )\\n)\\non $left.FileHashValue == $right.FileHash\\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nProcess, FileHash, Computer, Account, Event, FileHashValue, FileHashType\\n| extend NTDomain = tostring(split(Account, '\\\\\\\\', 0)[0]), Name = tostring(split(Account, '\\\\\\\\', 1)[0])\\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')) \\n| extend timestamp = SecurityEvent_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| where RequestURL matches regex ipv4_encoded_identification_regex\\n| project TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\\n// Expand, it's still possible that we might have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// If it's not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances where an IP of a machine in our MDE estate sent it's IP in a base64 encoded string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"IP address of Windows host encoded in web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query joins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine within your network was seen with it's IP address base64 encoded in an outbound web request. This method of egressing the IP was seen used in POLONIUM's RunningRAT tool, however the detection is generic.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated > ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, \\ntimekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated > ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, FileEditDomain = InitiatingProcessAccountDomain, FileEditUpn = InitiatingProcessAccountUpn, \\nDeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime <= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess) by timekey, DeviceName, BuildParentProcess, BuildProcess, FileEditAccount, FileEditDomain, FileEditUpn\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"FileEditUpn\"},{\"identifier\":\"Name\",\"columnName\":\"FileEditAccount\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"FileEditDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\") \\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\\n | extend props = TargetResource.modifiedProperties,\\n Type = tostring(TargetResource.type),\\n PermissionsAddedTo = tostring(TargetResource.displayName)\\n )\\n| mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n | extend DisplayName = tostring(Property.displayName), Permissions = trim('\\\"',tostring(Property.newValue))\\n )\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend InitiatingUserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| project-away props, TargetResource, AdditionalDetail, Property\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend AppName = tostring(TargetResource.displayName),\\n AppId = tostring(TargetResource.id)\\n )\\n| project AppName, AppId, CorrelationId) on CorrelationId\\n| project-away CorrelationId1\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend Name = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2024-01-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\\n modProps = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = modProps on \\n (\\n where Property.displayName =~ \\\"Role.WellKnownObjectName\\\"\\n | extend DisplayName = trim('\\\"',tostring(Property.displayName)),\\n GroupName = trim('\\\"',tostring(Property.newValue))\\n )\\n| extend InitiatingAppId = InitiatedBy.app.appId\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingAppServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingUserRoles = InitiatedBy.user.roles\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatingAppName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppId, InitiatingAppName, InitiatingAppServicePrincipalName, InitiatingAppServicePrincipalId, InitiatingIpAddress, DisplayName, GroupName, InitiatingUserRoles, TargetUserPrincipalName\\n| extend AccountName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), AccountUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])\\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Microsoft Entra ID Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"name\":\"a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let sha256Hashes = dynamic([\\\"78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629\\\", \\\"0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f\\\", \\\"441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964\\\", \\\"cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b\\\", \\\"fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc\\\", \\\"5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206\\\", \\\"7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc\\\", \\\"02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d\\\", \\\"7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d\\\", \\\"afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec\\\", \\\"894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53\\\", \\\"4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431\\\", \\\"c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d\\\", \\\"fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca\\\", \\\"e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = 'SHA256', Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where (Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\\\\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"[Deprecated] - Denim Tsunami File Hashes July 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\" \\n| where Operation =~ \\\"New-InboxRule\\\" and (ResultStatus =~ \\\"True\\\" or ResultStatus =~ \\\"Succeeded\\\")\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords '}'*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords '}'*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords '}'*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\\\\\')[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\\n| extend OriginatingServerName = tostring(split(OriginatingServer, \\\" \\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServerName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName =~ \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n),\\n(\\nWindowsEvent\\n| where EventID == 1102 and Provider =~ \\\"Microsoft-Windows-Eventlog\\\"\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n)\\n)\\n| extend Name=tostring(split(Account, \\\"@\\\")[0]), UPNSuffix=tostring(split(Account, \\\"@\\\")[1])\\n| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| where TimeGenerated >= ago(ioc_lookBack)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now()\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| where TimeGenerated >= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now()\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, Name = tostring(split(user_name_s, '@', 0)[0]), UPNSuffix = tostring(split(user_name_s, '@', 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"user_name_s\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"access_device_ip_s\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to Duo Security\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DuoSecurity.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"CiscoDuoSecurity\",\"dataTypes\":[\"CiscoDuo\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic(['vbscript','jscript']);\\nlet cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);\\nlet cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']);\\n(union isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated >= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @'\\\\Microsoft\\\\Windows\\\\CurrentVersion'\\n| where not(CommandLine has_any (@'\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run', @'\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce'))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n),\\n(WindowsEvent\\n| where TimeGenerated >= ago(14d)\\n| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @'\\\\Microsoft\\\\Windows\\\\CurrentVersion'\\n| where not(EventData has_any (@'\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run', @'\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce'))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has @'\\\\Microsoft\\\\Windows\\\\CurrentVersion'\\n| where not(CommandLine has_any (@'\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run', @'\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce'))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId)\\n| extend Name = tostring(split(Account, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[0])\\n| extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')), HostName = tostring(split(Computer, '.', 0)[0]))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Midnight Blizzard - Script payload stored in Registry\",\"description\":\"This query identifies when a process execution command-line indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents\\n| where TimeGenerated > ago(endtime)\\n| where Name has \\\"in-addr.arpa\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name), ReverseDNSLookup_List = make_set(Name,100) by ClientIP\\n| where dcount_Name > threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name, ReverseDNSLookup_List\\n// Filter out previously seen IPs\\n// Returns all the records from the left side that don't have matches from the right\\n| join kind=leftanti (DnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name has \\\"in-addr.arpa\\\"\\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name > threshold\\n | project ClientIP , dcount_Name\\n) on ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts that could be carrying out reconnaissance or discovery activity.\\nAlerts are generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let queryperiod = 1d;\\nlet mode = dynamic(['Blocked', 'Detected']);\\nlet successCode = dynamic(['200', '101','204', '400','504','304','401','500']);\\nlet sessionBin = 30m;\\nAzureDiagnostics\\n| where TimeGenerated > ago(queryperiod)\\n| where ResourceProvider == 'MICROSOFT.NETWORK' and Category =~ 'ApplicationGatewayFirewallLog' and action_s in (mode)\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n| join kind = inner(\\n AzureDiagnostics\\n | where TimeGenerated > ago(queryperiod)\\n | where Category =~ 'ApplicationGatewayAccessLog' and (isempty(httpStatus_d) or httpStatus_d in (successCode))\\n | extend TimeKey = bin(TimeGenerated, sessionBin)\\n | extend hostname_s = coalesce(hostname_s,host_s), clientIp_s = coalesce(clientIp_s,clientIP_s)\\n) on TimeKey, hostname_s , clientIp_s\\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\\n| extend\\n originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\"),\\n serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| summarize\\n SuccessfulAccessCount = count(),\\n UserAgents = make_set(userAgent_s, 250),\\n RequestURIs = make_set(requestUri_s, 250),\\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\\n SuccessCodes = make_set(httpStatus_d, 250),\\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\\n take_any(SessionBlockedEnded, SessionBlockedCount)\\n by hostname_s, clientIp_s, SessionBlockedStarted\\n| where SessionBlockedCount > SuccessfulAccessCount\\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\\n| sort by BlockvsSuccessRatio desc, SessionBlockedStarted asc\\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIp_s\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the ratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric).\\nA high ratio value for a given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number of blocked requests and a few unobstructed logs that may be malicious but have passed undetected through the WAF. The successCode variable defines what the detection thinks is a successful status code and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.6\",\"severity\":\"High\",\"query\":\"let IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n//Network logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the _Im_Dns and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let imDnsIP = _Im_Dns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (IPList) | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;\\n// If you have enabled the _Im_DNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in ('0.0.0.0','127.0.0.1');\\nlet ipMatch = ipsort | where IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| extend timestamp = TimeGenerated , IPEntity = SourceIPAddress , AccountEntity = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress, HostEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountEntity = UserName, HostEntity = Computer , IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountEntity = UserPrincipalName, IPEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountEntity = UserPrincipalName, IPEntity = IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPEntity = cIP, HostEntity = Computer, AccountEntity = csUserName\\n),\\n(AzureActivity\\n| where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, Caller, Type\\n| extend timestamp = TimeGenerated, IPEntity = CallerIpAddress, AccountEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type\\n| extend timestamp = TimeGenerated, IPEntity = SourceIpAddress, AccountEntity = UserIdentityUserName\\n),\\n(\\nDeviceNetworkEvents\\n| where RemoteIP in (ipMatch)\\n| where ActionType =~ \\\"InboundConnectionAccepted\\\"\\n| project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, HostEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol 'request from ' SourceIP ':' SourcePort 'to ' DestinationIP ':' DestinationPort '. Action:' Action\\n| where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIP\\n)\\n// If you have enabled the _Im_Dns and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(_Im_Dns (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress, HostEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = TimeGenerated, IPEntity = DstIpAddr, HostEntity = SrcIpAddr\\n//)\\n)\\n| extend Name = tostring(split(AccountEntity, '@', 0)[0]), UPNSuffix = tostring(split(AccountEntity, '@', 1)[0])\\n| extend HostName = tostring(split(HostEntity, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(HostEntity, '.'), 1, -1), '.'))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228.\\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\",\"lastUpdatedDateUTC\":\"2024-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"// Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| parse EventData with * 'TargetFilename\\\">' TargetFilename \\\"<\\\" *\\n| where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData with * 'ProcessGuid\\\">' ProcessGuid \\\"<\\\" * 'Image\\\">' Image \\\"<\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\\n| extend HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - File Artifacts\",\"description\":\"This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation, 500);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office Policy Tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"// We can use this configuration TimeDeltaInMinutes if you want to chnage the time window that we try to match the alerts\\nlet TimeDeltaInMinutes = 10;\\nlet Alert_UnfamiliarSignInProps = \\nSecurityAlert\\n| where TimeGenerated > ago(1d)\\n| where ProductName =~ \\\"Azure Active Directory Identity Protection\\\"\\n| where AlertName =~ \\\"Unfamiliar sign-in properties\\\"\\n| mv-expand Entity = todynamic(Entities)\\n| where Entity.Type =~ \\\"account\\\"\\n| extend AadTenantId = tostring(Entity.AadTenantId)\\n| extend AadUserId = tostring(Entity.AadUserId)\\n| join kind=inner (\\nIdentityInfo\\n| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName\\n| extend UserName = AccountDisplayName\\n| extend UserAccount = AccountUPN\\n| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)\\n| project AccountTenantId, AccountObjectId, UserAccount, UserName\\n)\\non\\n$left.AadTenantId == $right.AccountTenantId,\\n$left.AadUserId == $right.AccountObjectId\\n| extend CompromisedEntity = iff(CompromisedEntity == \\\"N/A\\\" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)\\n| extend Alert_UnfamiliarSignInProps_Time = TimeGenerated\\n| extend Alert_UnfamiliarSignInProps_Name = AlertName\\n| extend Alert_UnfamiliarSignInProps_Severity = AlertSeverity\\n| project AadTenantId, AadUserId, AccountTenantId, AccountObjectId, Alert_UnfamiliarSignInProps_Name, Alert_UnfamiliarSignInProps_Severity, Alert_UnfamiliarSignInProps_Time, UserAccount, UserName\\n;\\nlet Alert_AtypicalTravels = \\nSecurityAlert\\n| where TimeGenerated > ago(1d)\\n| where ProductName =~ \\\"Azure Active Directory Identity Protection\\\"\\n| where AlertName =~ \\\"Atypical travel\\\"\\n| mv-expand Entity = todynamic(Entities)\\n| where Entity.Type =~ \\\"account\\\"\\n| extend AadTenantId = tostring(Entity.AadTenantId)\\n| extend AadUserId = tostring(Entity.AadUserId)\\n| join kind=inner (\\nIdentityInfo\\n| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName\\n| extend UserName = AccountDisplayName\\n| extend UserAccount = AccountUPN\\n| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)\\n| project AccountTenantId, AccountObjectId, UserAccount, UserName\\n)\\non\\n$left.AadTenantId == $right.AccountTenantId,\\n$left.AadUserId == $right.AccountObjectId\\n| extend CompromisedEntity = iff(CompromisedEntity == \\\"N/A\\\" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)\\n| extend Alert_AtypicalTravels_Time = TimeGenerated\\n| extend Alert_AtypicalTravels_Name = AlertName\\n| extend Alert_AtypicalTravels_Severity = AlertSeverity\\n| extend ExtendedProperties_json= parse_json(ExtendedProperties)\\n| extend CurrentLocation = tostring(ExtendedProperties_json.[\\\"Current Location\\\"])\\n| extend PreviousLocation = tostring(ExtendedProperties_json.[\\\"Previous Location\\\"])\\n| extend CurrentIPAddress = tostring(ExtendedProperties_json.[\\\"Current IP Address\\\"])\\n| extend PreviousIPAddress = tostring(ExtendedProperties_json.[\\\"Previous IP Address\\\"])\\n| project AadTenantId, AadUserId, AccountTenantId, AccountObjectId, Alert_AtypicalTravels_Name, Alert_AtypicalTravels_Severity, Alert_AtypicalTravels_Time, CurrentIPAddress, PreviousIPAddress, CurrentLocation, PreviousLocation, UserAccount, UserName, CompromisedEntity\\n;\\nAlert_UnfamiliarSignInProps\\n| join kind=inner Alert_AtypicalTravels on UserAccount\\n| where abs(datetime_diff('minute', Alert_UnfamiliarSignInProps_Time, Alert_AtypicalTravels_Time)) <= TimeDeltaInMinutes\\n| extend TimeDelta = Alert_UnfamiliarSignInProps_Time - Alert_AtypicalTravels_Time\\n| project UserAccount, Alert_UnfamiliarSignInProps_Name, Alert_UnfamiliarSignInProps_Severity, Alert_UnfamiliarSignInProps_Time, Alert_AtypicalTravels_Name, Alert_AtypicalTravels_Severity, Alert_AtypicalTravels_Time, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress, UserName\\n| extend UserEmailName = split(UserAccount,'@')[0], UPNSuffix = split(UserAccount,'@')[1]\",\"customDetails\":{\"Alert1_Name\":\"Alert_UnfamiliarSignInProps_Name\",\"Alert1_Time\":\"Alert_UnfamiliarSignInProps_Time\",\"Alert1_Severity\":\"Alert_UnfamiliarSignInProps_Severity\",\"Alert2_Name\":\"Alert_AtypicalTravels_Name\",\"Alert2_Time\":\"Alert_AtypicalTravels_Time\",\"Alert2_Severity\":\"Alert_AtypicalTravels_Severity\",\"TimeDelta\":\"TimeDelta\",\"CurrentLocation\":\"CurrentLocation\",\"PreviousLocation\":\"PreviousLocation\",\"CurrentIPAddress\":\"CurrentIPAddress\",\"PreviousIPAddress\":\"PreviousIPAddress\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"},{\"identifier\":\"Name\",\"columnName\":\"UserEmailName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CurrentIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PreviousIPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties & atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2023-04-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05eca115-c4b5-48e4-ba6e-07db57695be2\",\"name\":\"05eca115-c4b5-48e4-ba6e-07db57695be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let baseline_time = 7d;\\nlet detection_time = 1d;\\nDynamics365Activity\\n| where TimeGenerated between(ago(baseline_time)..ago(detection_time-1d))\\n| where OriginalObjectId contains 'ExportToExcel'\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| summarize sum(QueryCount) by UserId\\n| extend HistoricalBaseline = sum_QueryCount\\n| join (Dynamics365Activity\\n| where TimeGenerated > ago(detection_time)\\n| where OriginalObjectId contains 'ExportToExcel'\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| summarize sum(QueryCount) by UserId\\n| extend CurrentExportRate = sum_QueryCount) on UserId\\n| where CurrentExportRate > HistoricalBaseline\\n| project UserId, HistoricalBaseline, CurrentExportRate\\n| join kind=inner(Dynamics365Activity\\n| where TimeGenerated > ago(detection_time)\\n| where OriginalObjectId contains 'ExportToExcel'\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))) on UserId\\n| project TimeGenerated, UserId, QueryCount, UserAgent, OriginalObjectId, ClientIP, HistoricalBaseline, CurrentExportRate, CorrelationId, CrmOrganizationUniqueName\\n| summarize QuerySizes = make_set(QueryCount), MostRecentQuery = max(TimeGenerated), IPs = make_set(ClientIP), UserAgents = make_set(UserAgent) by UserId, CrmOrganizationUniqueName, HistoricalBaseline, CurrentExportRate\\n| extend timestamp = MostRecentQuery, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Mass Export of Dynamics 365 Records to Excel\",\"description\":\"The query detects user exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user.\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated > ago(1d)\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\\n | extend HostName = tostring(split(DvcHostname, \\\".\\\")[0]), DomainIndex = toint(indexof(DvcHostname, '.'))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)\\n | project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any ('reg add') or EventData has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected'\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Caramel Tsunami Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC's related to an actor tracked by Microsoft as Caramel Tsunami\",\"lastUpdatedDateUTC\":\"2023-07-18T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) == False\\n| where SrcIpAddr !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize AttemptedPortsCount=dcount(DstPortNumber), AttemptedPorts=make_set(DstPortNumber, 100), ReportedBy=make_set(strcat(EventVendor, \\\"/\\\", EventProduct), 20) by SrcIpAddr, bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount > PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} ports within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Discovery\"],\"displayName\":\"Port scan detected (ASIM Network Session schema)\",\"description\":\"This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"AzureNSG\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"AIVectraStream\",\"dataTypes\":[\"VectraStream\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoMeraki\",\"dataTypes\":[\"Syslog\",\"CiscoMerakiNativePoller\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountEntity = Account, HostEntity = Computer\\n),\\n( WindowsEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4688\\n| where EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountEntity = Account, HostEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated >= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName, HostEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated >= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountEntity = User, HostEntity = Computer\\n)\\n)\\n| extend HostName = tostring(split(HostEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(HostEntity, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(HostEntity, DomainIndex + 1), HostEntity)\\n| extend AccountName = tostring(split(AccountEntity, @'\\\\')[1]), AccountDomain = tostring(split(AccountEntity, @'\\\\')[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountEntity\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn't yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ 'false' and NewE2ESetting =~ 'true'\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"name\":\"b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.3\",\"severity\":\"High\",\"query\":\"let UA_threats = dynamic([\\\"FoxBlade\\\", \\\"WhisperGate\\\", \\\"Lasainraw\\\", \\\"SonicVote\\\", \\\"CaddyWiper\\\", \\\"AprilAxe\\\", \\\"FiberLake\\\", \\\"Industroyer\\\", \\\"DesertBlade\\\"]);\\nSecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatFamilyName in~ (UA_threats)\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Ukraine threats\",\"description\":\"This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ \",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1d;\\nlet TotalEventsThreshold = 25;\\nlet TimeSeriesData = AzureActivity \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now())) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Caller;\\nTimeSeriesData \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, 'linefit') \\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where TimeGenerated >= startofday(ago(endtime)) \\n| where anomalies > 0 \\n| project Caller, TimeGenerated, Total, baseline, anomalies, score \\n| where Total > TotalEventsThreshold and baseline > 0 \\n| join (AzureActivity \\n| where TimeGenerated > startofday(ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| summarize count(), make_set(OperationNameValue,100), make_set(_ResourceId,100) by bin(TimeGenerated, timeframe), Caller ) on TimeGenerated, Caller \\n| extend Name = iif(Caller has '@',tostring(split(Caller,'@',0)[0]),\\\"\\\")\\n| extend UPNSuffix = iif(Caller has '@',tostring(split(Caller,'@',1)[0]),\\\"\\\")\\n| extend AadUserId = iif(Caller !has '@',Caller,\\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Mass Cloud resource deletions Time Series Anomaly\",\"description\":\"This query generates the baseline pattern of cloud resource deletions by an individual and generates an anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of a cloud infrastructure takedown by an adversary.\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11c3d541-5fa5-49df-8218-d1c98584473b\",\"name\":\"11c3d541-5fa5-49df-8218-d1c98584473b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"REDACTED\",\"customDetails\":{\"AWSUser\":\"UserIdentityArn\",\"AlertIp\":\"ipAddress\",\"AlertName\":\"AlertName\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User impersonation by Identity Protection alerts\",\"description\":\"This detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user's IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic(['foo@baz.com', 'test@foo.com']);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == 'Git.RefUpdatePoliciesBypassed'\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated >= ago(endtime)\\n| where OperationName == 'Git.RefUpdatePoliciesBypassed'\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName '(Organization)'\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name,\\n BypassReason = Data.BypassReason, PRLink = strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_git/', Data.RepoName, '/pullrequest/', Data.PullRequestId)\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"PRLink\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet Signins = materialize(union isfuzzy=true\\n (SigninLogs\\n | where TimeGenerated >= ago(dt_lookBack)),\\n (AADNonInteractiveUserSignInLogs\\n | where TimeGenerated >= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)));\\nlet SigninIPs = Signins | summarize make_list(IPAddress);\\nlet TI = materialize(ThreatIntelligenceIndicator\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n | extend TI_ipEntity = coalesce(NetworkIP, EmailSourceIpAddress, NetworkDestinationIP, NetworkSourceIP)\\n | where TI_ipEntity in (SigninIPs)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now()\\n | where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\");\\nTI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (Signins) on $left.TI_ipEntity == $right.IPAddress\\n| project-rename SigninLogs_TimeGenerated = TimeGenerated\\n| where SigninLogs_TimeGenerated < ExpirationDateTime\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, Name = tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to SigninLogs\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.\",\"lastUpdatedDateUTC\":\"2023-07-18T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername\\n| extend AccountName = tostring(split(SrcUsername, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SrcUsername, \\\"@\\\")[1])\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUsername\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"A host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.
You can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).

This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~ 'Add member to role request denied (PIM activation)'\\n| mv-apply ResourceItem = TargetResources on \\n (\\n where ResourceItem.type =~ \\\"Role\\\"\\n | extend Role = trim(@'\\\"',tostring(ResourceItem.displayName))\\n )\\n| mv-apply ResourceItem = TargetResources on \\n (\\n where ResourceItem.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = trim(@'\\\"',tostring(ResourceItem.userPrincipalName))\\n )\\n| where ResultReason != \\\"RoleAssignmentExists\\\"\\n| where isnotempty(InitiatedBy.user)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])\\n| project-reorder TimeGenerated, TargetUserPrincipalName, Role, OperationName, Result, ResultDescription\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2024-08-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has 'CVE-2021-38647'\\n| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '\\\"' *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend HostName = tostring(split(VirtualMAchine, \\\".\\\")[0]), DomainIndex = toint(indexof(VirtualMAchine, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(VirtualMAchine, DomainIndex + 1), VirtualMAchine)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"VirtualMAchine\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647.\\nOMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold\\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated > ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction\\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) == false\\n// sort into source->destination 'sessions'\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds > TimeDeltaThresholdInSeconds\\n// summarize the deltas by source->destination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers > 1.5 or outliers < -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev < MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount > TotalBeaconsThreshold and (sum_SentBytes > 0 or sum_ReceivedBytes > 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity >= (10*TimeDeltaThresholdInSeconds)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.5\",\"severity\":\"Medium\",\"query\":\"let riskScoreCutoff = 20; //Adjust this based on volume of results\\nlet starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, 'linefit')\\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// Filtering low count events per baselinethreshold\\n| where anomalies > 0 and baseline > baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated > startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated > startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\\n| extend UserPrincipalName = tolower(UserPrincipalName)\\n| join kind=leftouter (\\n IdentityInfo\\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled\\n | summarize\\n Tags = make_set(Tags, 1000),\\n GroupMembership = make_set(GroupMembership, 1000),\\n AssignedRoles = make_set(AssignedRoles, 1000),\\n UserType = make_set(UserType, 1000),\\n UserAccountControl = make_set(UserType, 1000)\\n by AccountUPN\\n | extend UserPrincipalName=tolower(AccountUPN)\\n) on UserPrincipalName\\n| join kind=leftouter (\\n BehaviorAnalytics\\n | where ActivityType in (\\\"FailedLogOn\\\", \\\"LogOn\\\")\\n | where isnotempty(SourceIPAddress)\\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\\n | project-rename IPAddress = SourceIPAddress\\n | summarize\\n UsersInsights = make_set(UsersInsights, 1000),\\n DevicesInsights = make_set(DevicesInsights, 1000),\\n IPInvestigationPriority = sum(InvestigationPriority)\\n by IPAddress)\\non IPAddress\\n| extend UEBARiskScore = IPInvestigationPriority\\n| where UEBARiskScore > riskScoreCutoff\\n| sort by UEBARiskScore desc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.\",\"lastUpdatedDateUTC\":\"2024-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"name\":\"cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add owner to application\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend TargetUserPrincipalName = TargetResources[0].userPrincipalName\\n | extend TargetAadUserId = tostring(TargetResources[0].id)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | mv-expand mod_props\\n | where mod_props.displayName =~ \\\"Application.DisplayName\\\"\\n | extend TargetAppName = tostring(parse_json(tostring(mod_props.newValue)))\\n | extend AddedUser = TargetUserPrincipalName\\n | extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress, TargetAppName, AddedUser, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Ownership\",\"description\":\"Detects changes to the ownership of an appplicaiton.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://learn.microsoft.com/en-gb/entra/architecture/security-operations-applications#new-owner\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"CommonSecurityLog\\n| where isempty(CommunicationDirection)\\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd78a122-d377-415a-afe9-f22e08d2112c\",\"name\":\"dd78a122-d377-415a-afe9-f22e08d2112c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"// Add other permissions to this list as needed\\nlet permissions = dynamic([\\\".All\\\", \\\"ReadWrite\\\", \\\"Mail.\\\", \\\"offline_access\\\", \\\"Files.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\",\\n\\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\"]);\\nlet auditList = \\nAuditLogs\\n| where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources[0].modifiedProperties\\n| extend TargetResources_0_modifiedProperties = column_ifexists(\\\"TargetResources_0_modifiedProperties\\\", '')\\n| where isnotempty(TargetResources_0_modifiedProperties)\\n;\\nlet detailsList = auditList\\n| where TargetResources_0_modifiedProperties.displayName =~ \\\"AppRole.Value\\\" or TargetResources_0_modifiedProperties.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n| extend Permissions = split((parse_json(tostring(TargetResources_0_modifiedProperties.newValue))), \\\" \\\")\\n| where Permissions has_any (permissions)\\n| summarize AddedPermissions=make_set(Permissions,200) by CorrelationId\\n| join kind=inner auditList on CorrelationId\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n| extend displayName = tostring(TargetResources_0_modifiedProperties.displayName), newValue = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n| where displayName == \\\"ServicePrincipal.ObjectID\\\" or displayName == \\\"ServicePrincipal.DisplayName\\\"\\n| extend displayName = case(displayName == \\\"ServicePrincipal.ObjectID\\\", \\\"ServicePrincipalObjectID\\\", displayName == \\\"ServicePrincipal.DisplayName\\\", \\\"ServicePrincipalDisplayName\\\", displayName)\\n| project TimeGenerated, CorrelationId, Id, AddedPermissions = tostring(AddedPermissions), InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIPAddress, InitiatingUserPrincipalName, InitiatedBy, displayName, newValue\\n;\\ndetailsList | project Id, displayName, newValue\\n| evaluate pivot(displayName, make_set(newValue))\\n| join kind=inner detailsList on Id\\n| extend ServicePrincipalObjectID = todynamic(column_ifexists(\\\"ServicePrincipalObjectID\\\", \\\"\\\")), ServicePrincipalDisplayName = todynamic(column_ifexists(\\\"ServicePrincipalDisplayName\\\", \\\"\\\"))\\n| mv-expand ServicePrincipalObjectID, ServicePrincipalDisplayName\\n| project-away Id1, displayName, newValue\\n| extend ServicePrincipalObjectID = tostring(ServicePrincipalObjectID), ServicePrincipalDisplayName = tostring(ServicePrincipalDisplayName)\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), EventIds = make_set(Id,200) by CorrelationId, AddedPermissions, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIPAddress, InitiatingUserPrincipalName, InitiatedBy, ServicePrincipalDisplayName, ServicePrincipalObjectID\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"ServicePrincipalObjectID\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned App Role With Sensitive Access\",\"description\":\"Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read.\\n A threat actor who compromises a Service Principal may assign it an app role to allow it to access sensitive data, or to perform other actions.\\n Ensure that any assignment to a Service Principal is valid and appropriate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/defe4855-0d33-4362-9557-009237623976\",\"name\":\"defe4855-0d33-4362-9557-009237623976\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let query_frequency = 1h;\\nlet query_period = 1d;\\nAuditLogs\\n| where TimeGenerated > ago(query_frequency)\\n| where Category =~ \\\"UserManagement\\\" and OperationName =~ \\\"Delete user\\\"\\n| mv-expand TargetResource = TargetResources\\n| where TargetResource[\\\"type\\\"] == \\\"User\\\" and TargetResource[\\\"userPrincipalName\\\"] has \\\"#EXT#\\\"\\n| extend ParsedDeletedUserPrincipalName = extract(@\\\"^[0-9a-f]{32}([^\\\\#]+)\\\\#EXT\\\\#\\\", 1, tostring(TargetResource[\\\"userPrincipalName\\\"]))\\n| extend\\n Initiator = iif(isnotempty(InitiatedBy[\\\"app\\\"]), tostring(InitiatedBy[\\\"app\\\"][\\\"displayName\\\"]), tostring(InitiatedBy[\\\"user\\\"][\\\"userPrincipalName\\\"])),\\n InitiatorId = iif(isnotempty(InitiatedBy[\\\"app\\\"]), tostring(InitiatedBy[\\\"app\\\"][\\\"servicePrincipalId\\\"]), tostring(InitiatedBy[\\\"user\\\"][\\\"id\\\"])),\\n Delete_IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])][\\\"ipAddress\\\"])\\n| project Delete_TimeGenerated = TimeGenerated, Category, Identity, Initiator, Delete_IPAddress, OperationName, Result, ParsedDeletedUserPrincipalName, InitiatedBy, AdditionalDetails, TargetResources, InitiatorId, CorrelationId\\n| join kind=inner (\\n SigninLogs\\n | where TimeGenerated > ago(query_period)\\n | where ResultType == 0\\n | summarize take_any(*) by UserPrincipalName\\n | extend ParsedUserPrincipalName = translate(\\\"@\\\", \\\"_\\\", UserPrincipalName)\\n | project SigninLogs_TimeGenerated = TimeGenerated, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, IPAddress, LocationDetails, AppDisplayName, ResourceDisplayName, ClientAppUsed, UserAgent, DeviceDetail, UserId, UserType, OriginalRequestId, ParsedUserPrincipalName\\n ) on $left.ParsedDeletedUserPrincipalName == $right.ParsedUserPrincipalName\\n| where SigninLogs_TimeGenerated > Delete_TimeGenerated\\n| project-away ParsedDeletedUserPrincipalName, ParsedUserPrincipalName\\n| extend\\n AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]),\\n AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Suspicious Login from deleted guest account\",\"description\":\" This query will detect logins from guest account which was recently deleted. \\nFor any successful logins from deleted identities should be investigated further if any existing user accounts have been altered or linked to such identity prior deletion\",\"lastUpdatedDateUTC\":\"2024-01-03T00:00:00Z\",\"createdDateUTC\":\"2022-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/017e095a-94d8-430c-a047-e51a11fb737b\",\"name\":\"017e095a-94d8-430c-a047-e51a11fb737b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let domains =\\n SigninLogs\\n | where ResultType == 0\\n | extend domain = split(UserPrincipalName, \\\"@\\\")[1]\\n | extend domain = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tolower(tostring(domain));\\n AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ 'Update Application'\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all('\\\"Address\\\":([^,]*)', tostring(NewValue))\\n | extend OldUrls = extract_all('\\\"Address\\\":([^,]*)', tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) > 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | where isnotempty(AddedUrls)\\n | mv-expand AddedUrls\\n | extend AddedUrls = trim(@'\\\"', tostring(AddedUrls))\\n | extend Domain = extract(\\\"^(?:https?:\\\\\\\\/\\\\\\\\/)?(?:[^@\\\\\\\\/\\\\\\\\n]+@)?(?:www\\\\\\\\.)?([^:\\\\\\\\/?\\\\\\\\n]+)/\\\", 1, replace_string(tolower(AddedUrls), '\\\"', \\\"\\\"))\\n | where isnotempty(Domain)\\n | extend Domain = strcat(split(Domain, \\\".\\\")[-2], \\\".\\\", split(Domain, \\\".\\\")[-1])\\n | where Domain !in (domains)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, InitiatedBy, UserAgent, InitiatingIPAddress\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"URL Added to Application from Unknown Domain\",\"description\":\"Detects a URL being added to an application where the domain is not one that is associated with the tenant.\\n The query uses domains seen in sign in logs to determine if the domain is associated with the tenant.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://learn.microsoft.com/en-gb/entra/architecture/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/16da3a2a-af29-48a0-8606-d467c180fe18\",\"name\":\"16da3a2a-af29-48a0-8606-d467c180fe18\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let Threshold = 1;\\nAzureDiagnostics\\n| where Category =~ \\\"FrontDoorWebApplicationFirewallLog\\\"\\n| where action_s =~ \\\"AnomalyScoring\\\"\\n| where details_msg_s has \\\"SQL Injection\\\"\\n| parse details_data_s with MessageText \\\"Matched Data:\\\" MatchedData \\\"AND \\\" * \\\"table_name FROM \\\" TableName \\\" \\\" *\\n| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData\\n| join kind = inner(\\nAzureDiagnostics\\n| where Category =~ \\\"FrontDoorWebApplicationFirewallLog\\\"\\n| where action_s =~ \\\"Block\\\") on trackingReference_s\\n| summarize URI_s = make_set(requestUri_s,100), Table = make_set(TableName,100), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s,100), Matched_Data = make_set(MatchedData,100), Detail_Data = make_set(details_data_s,100), Detail_Message = make_set(details_msg_s,100), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s\\n| where Total_TrackingReference >= Threshold\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URI_s\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIP_s\"}]}],\"tactics\":[\"DefenseEvasion\",\"Execution\",\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Front Door Premium WAF - SQLi Detection\",\"description\":\"Identifies a match for a SQL Injection attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements.\\nReferences: https://owasp.org/Top10/A03_2021-Injection/\",\"lastUpdatedDateUTC\":\"2023-12-20T00:00:00Z\",\"createdDateUTC\":\"2022-10-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (IPList) \\n| extend DestinationIP = Fqdn \\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWNetworkRule\\n| where isnotempty(DestinationIp)\\n| where DestinationIp has_any (IPList) \\n| extend DestinationIP = DestinationIp \\n| extend IPCustomEntity = SourceIp\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Seashell Blizzard IP\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName: string) {\\n table(tableName)\\n | where ResultType == 500121\\n | where Status has \\\"MFA Denied; user declined the authentication\\\" or Status has \\\"MFA denied; Phone App Reported Fraud\\\"\\n | extend Type = Type, PublicIP = IPAddress\\n | extend\\n Name = tostring(split(UserPrincipalName, '@', 0)[0]),\\n UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet dvcInfo = DeviceInfo\\n | extend SensorHealthState = column_ifexists(\\\"SensorHealthState\\\", \\\"\\\")\\n | where OnboardingStatus == \\\"Onboarded\\\" and SensorHealthState == \\\"Active\\\"\\n | project PublicIP, AadDeviceId;\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| join kind=leftouter dvcInfo on PublicIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AppDisplayName\"},{\"identifier\":\"AppId\",\"columnName\":\"AppId\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"[Deprecated] Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.\\nThis rule is deprecated as of July-2024. Alternative rule with similar logic and contex from more data source \\nis available at https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/MFARejectedbyUser.yaml\",\"lastUpdatedDateUTC\":\"2024-07-25T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Low\",\"query\":\"REDACTED\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"WorkstationName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows Logon Failures\",\"description\":\"This query identifies user accounts which has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend HashAlgorithm = \\\"MD5\\\"\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingProcessAccountDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"MD5\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2024-04-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Low\",\"query\":\"let threshold = 1; // Modify this threshold value to reduce false positives based on your environment\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| mv-apply CAP = parse_json(ConditionalAccessPolicies) on (\\n project ConditionalAccessPoliciesName = CAP.displayName, result = CAP.result\\n | where result =~ \\\"failure\\\"\\n)\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status,10), StatusDetails = make_list(StatusDetails,50), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId,100), ConditionalAccessPoliciesName = make_list(ConditionalAccessPoliciesName,100)\\nby UserPrincipalName, UserId, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, Type\\n| where IPAddressCount > threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mv-expand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses,100), Status = make_set(Status,10), CorrelationIds = make_set(CorrelationIds,100), ConditionalAccessPoliciesName = make_set(ConditionalAccessPoliciesName,100)\\nby StartTime, EndTime, UserPrincipalName, UserId, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, IPAddressCount, Type\\n| extend IPAddressFirst = tostring(IPAddresses[0]), Name = tostring(split(UserPrincipalName, \\\"@\\\")[0]), UPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddressFirst\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Microsoft Entra ID\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Microsoft Entra ID.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences:\\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue < Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount > triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated > ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) > dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri's and/or >=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ > 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated > ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance.\\nThis detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\\nNOTE - The top1M csv zip file used in the query is dynamic and may produce different results over various time periods. It's important to cross-check the events against the entities involved in the incident.\",\"lastUpdatedDateUTC\":\"2024-10-17T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"name\":\"d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"// Administrative roles to look for, default is all admin roles\\nlet roles = dynamic([\\\"Administrator\\\", \\\"Admin\\\"]);\\n// The maximum distances between and invite and acceptance\\nlet maxTimeBetweenInviteAccept = 30min;\\n// The delta (minutes) between the invite being sent and the account being escalated\\nlet deltaBetweenInviteEscalation = 60;\\n// Collect external user invitations\\nlet invite = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Invite external user\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"userPrincipalName\\\"])\\n| extend InviteInitiator = tostring(InitiatedBy.[\\\"user\\\"].[\\\"userPrincipalName\\\"])\\n| where isnotempty(InviteInitiator);\\n// Collect redeem events\\nlet redeem = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Redeem external user invite\\\"\\n| where Result =~ \\\"success\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"displayName\\\"]) | extend Target = tostring(extract(@\\\"UPN\\\\:\\\\s(.+)\\\\,\\\\sEmail\\\",1,Target))\\n| where isnotempty(Target);\\n// Union the inivtation and redeem data then run the sequence_detect kusto plugin\\ninvite\\n| union redeem\\n| order by TimeGenerated\\n| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId\\n| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has \\\"Invite external user\\\"), redeem=(OperationName has \\\"Redeem external user invite\\\"), Target)\\n| join kind=innerunique (\\nAuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in~ (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n// Limit to external accounts\\n| where TargetResources.userPrincipalName has \\\"EXT\\\"\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n// Perform check for admin roles\\n| where RoleName has_any(roles)\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by TimeGenerated, OperationName, RoleName, Target, Initiator, Result\\n) on Target\\n// Calculate delta between the invite and the account escalation\\n| extend delta = datetime_diff(\\\"minute\\\", TimeGenerated, invite_TimeGenerated)\\n| where delta <= deltaBetweenInviteEscalation\\n| project InvitationTime=invite_TimeGenerated, RedeemTime=redeem_TimeGenerated, GrantTime=TimeGenerated, ExternalUser=Target, RoleGranted=RoleName, AdminInitiator=Initiator, MinsBetweenInviteAndEscalation=delta\\n| extend ExternalUserName = tostring(split(ExternalUser, '@', 0)[0]), ExternalUserUPNSuffix = tostring(split(ExternalUser, '@', 1)[0])\\n| extend AdminInitiatorName = tostring(split(AdminInitiator, '@', 0)[0]), AdminInitiatorUPNSuffix = tostring(split(AdminInitiator, '@', 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ExternalUserName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"ExternalUserUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AdminInitiatorName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AdminInitiatorUPNSuffix\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New External User Granted Admin Role\",\"description\":\"This query will detect instances where a newly invited external user is granted an administrative role.\\nBy default this query will alert on any granted administrative role, however this can be modified using the roles variable if false positives occur in your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the deltaBetweenInviteEscalation variable.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Microsoft Defender for Cloud\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * 'User-Agent\\\\\\\\\\\":\\\\\\\\\\\"' UserAgent2 '\\\\\\\\' *\\n| parse ExtendedProperties with * 'UserAgent\\\", \\\"Value\\\": \\\"' UserAgent1 '\\\"' *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == 'AzureActiveDirectoryStsLogon', UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\"\\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\"\\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != '-'\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith '\\\\\\\"'\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent contains_cs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent contains_cs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend AccountName = split(Account, \\\"@\\\")[0], UPNSuffix = split(Account, \\\"@\\\")[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n | extend AccountName = tostring(split(TargetAccount, @'\\\\')[1]), AccountNTDomain = tostring(split(TargetAccount, @'\\\\')[0])\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1cc0ba27-c5ca-411a-a779-fbc89e26be83\",\"name\":\"1cc0ba27-c5ca-411a-a779-fbc89e26be83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"// Filter alerts from specific Microsoft security products with medium and high severity\\nSecurityAlert \\n| where ProductName in (\\\"Microsoft 365 Defender\\\", \\\"Azure Active Directory\\\", \\\"Microsoft Defender Advanced Threat Protection\\\", \\\"Microsoft Cloud App Security\\\", \\\"Azure Active Directory Identity Protection\\\", \\\"Microsoft Defender ATP\\\")\\n| where AlertSeverity has_any (\\\"Medium\\\", \\\"High\\\")\\n// Parse JSON entities and extend AlertTimeGenerated\\n| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated\\n// Extract and process IP entities\\n| mv-apply Entity = Entities on \\n ( \\n where Entity.Type == 'ip' \\n | extend EntityIp = tostring(Entity.Address) \\n ) \\n// Extract and process account entities\\n| mv-apply Entity = Entities on \\n ( \\n where Entity.Type == 'account' \\n | extend AccountObjectId = tostring(Entity.AadUserId)\\n )\\n// Filter out records with empty EntityIp\\n| where isnotempty(EntityIp)\\n// Summarize data and create sets of entities and system alert IDs\\n| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)\\n by \\n AlertName,\\n ProductName,\\n AlertSeverity,\\n EntityIp,\\n Tactics,\\n Techniques,\\n ProviderName,\\n AlertTime= bin(AlertTimeGenerated, 1d),\\n AccountObjectId\\n// Join with GCPAuditLogs for VM instance creation\\n| join kind=inner (\\n GCPAuditLogs\\n | where ServiceName == \\\"compute.googleapis.com\\\" and MethodName endswith \\\"instances.insert\\\"\\n | extend\\n GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),\\n GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\\n GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),\\n VMStatus = tostring(parse_json(Response).status),\\n VMOperation=tostring(parse_json(Response).operationType),\\n VMName= tostring(parse_json(Request).name),\\n VMType = tostring(split(parse_json(Request).machineType, \\\"/\\\")[-1])\\n | where GCPUserUPN !has \\\"gserviceaccount.com\\\"\\n | where VMOperation == \\\"insert\\\" and isnotempty(GCPUserIp) and GCPUserIp != \\\"private\\\"\\n | project\\n GCPOperationTime=TimeGenerated,\\n VMName,\\n VMStatus,\\n MethodName,\\n GCPUserUPN,\\n ProjectId,\\n GCPUserIp,\\n GCPUserUA,\\n VMOperation,\\n VMType\\n )\\n on $left.EntityIp == $right.GCPUserIp \\n// Join with IdentityInfo to enrich user identity details\\n| join kind=inner (IdentityInfo \\n | distinct AccountObjectId, AccountUPN, JobTitle\\n )\\n on AccountObjectId \\n// Calculate the time difference between the alert and VM creation for further analysis\\n| extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, \\\"@\\\")[0], UPNSuffix = split(GCPUserUPN, \\\"@\\\")[1]\",\"customDetails\":{\"AlertName\":\"AlertName\",\"AlertProDuctName\":\"ProductName\",\"AlertUserName\":\"AccountUPN\",\"AlertUserObjectId\":\"AccountObjectId\",\"AlertIds\":\"SystemAlertIds\",\"AlertIp\":\"EntityIp\",\"GCPUserAgent\":\"GCPUserUA\",\"GCPVMName\":\"VMName\",\"GCPProjectId\":\"ProjectId\",\"GCPVMType\":\"VMType\",\"CorrelationWith\":\"GCPAuditLogs\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GCPUserIp\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GCPUserUPN\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"IP address {{GCPUserIp}} Assocated with {{AlertName}} found in GCP VM creation event by {{GCPUserUPN}}\",\"alertDescriptionFormat\":\"This detection correlates '{{ProductName}}' Alert IP addresse Entity found in VM instance creation in GCP {{ProjectId}}. It identifies successful compute instance creation, from suspicious IP addresse. By joining these datasets on network entities and IP addresses, it detects unauthorized Initial access attempts across GCP environments.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":\"AlertSeverity\"},\"tactics\":[\"InitialAccess\",\"Execution\",\"Discovery\"],\"displayName\":\"Suspicious VM Instance Creation Activity Detected\",\"description\":\"This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2023-10-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"GCPAuditLogsDefinition\",\"dataTypes\":[\"GCPAuditLogs\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureActivity logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without relevant IP address fields\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n // Select the IP entity based on availability of different IP fields\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now();\\n// Perform a join between IP indicators and AzureActivity logs to identify potential malicious activity\\nIP_Indicators\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated < ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = AzureActivity_TimeGenerated\\n| extend Name = iif(Caller has '@', tostring(split(Caller,'@',0)[0]), \\\"\\\")\\n| extend UPNSuffix = iif(Caller has '@', tostring(split(Caller,'@',1)[0]), \\\"\\\")\\n| extend AadUserId = iif(Caller !has '@', tostring(Caller), \\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map IP Entity to AzureActivity\",\"description\":\"This query maps any IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in AzureActivity.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet compressedTypes = dynamic(['zip', 'rar', 'tar', 'x-7z-compressed']);\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'outbound'\\n| extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']\\n| where attachedMimeType has_any (compressedTypes)\\n| summarize count(), make_set(attachedMimeType) by SrcUserUpn, DstUserUpn\\n| where count_ > msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated >= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated >= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated >= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Solorigate Domains Found in VM Insights\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"name\":\"9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let knotweed_sigs = dynamic([\\\"JumplumpDropper\\\", \\\"Jumplump\\\", \\\"Corelump\\\", \\\"Medcerc\\\", \\\"SuspModuleLoad\\\", \\\"Mexlib\\\"]);\\n let mde_data = (DeviceInfo\\n | extend DeviceName = tolower(DeviceName)\\n | join kind=rightouter ( SecurityAlert\\n | where ProviderName =~ \\\"MDATP\\\"\\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in~ (knotweed_sigs)\\n | extend CompromisedEntity = tolower(CompromisedEntity)\\n ) on $left.DeviceName == $right.CompromisedEntity);\\n let event_data = ( Event\\n | where EventID in (1006, 1009, 1116, 1119)\\n | extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))\\n | mv-expand ThreatData\\n | where tostring(ThreatData.[\\\"@Name\\\"]) == \\\"Threat Name\\\"\\n | extend EventData = parse_xml(EventData)\\n | where tostring(ThreatData.[\\\"#text\\\"]) has_any (knotweed_sigs));\\n union mde_data, event_data\\n | extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.[\\\"#text\\\"]))\\n | extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.[\\\"#text\\\"]), \\\"/\\\")[-1])\\n | extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)\\n | extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)\\n | project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"[Deprecated] - Denim Tsunami AV Detection\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"name\":\"c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let auditList =\\nAuditLogs\\n| where TimeGenerated >= ago(14d)\\n| where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n| where Result =~ \\\"success\\\"\\n| extend TargetUserPrincipalName = tostring(TargetResources[2].userPrincipalName)\\n| extend displayName = tostring(TargetResources[0].displayName)\\n| extend displayName2 = tostring(TargetResources[3].displayName)\\n| extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n;\\nlet lookbackList = auditList\\n| where TimeGenerated between(ago(14d)..ago(1d))\\n;\\nlet recentList = auditList\\n| where TimeGenerated > ago(1d)\\n;\\nlet newlyElevated = recentList\\n| join kind = leftanti lookbackList on ElevatedRole, TargetUserPrincipalName\\n;\\nnewlyElevated | project Id, AdditionalDetails\\n| mv-expand bagexpansion=array AdditionalDetails\\n| evaluate bag_unpack(AdditionalDetails)\\n| extend key = column_ifexists(\\\"key\\\", ''), value = column_ifexists(\\\"value\\\", '')\\n| evaluate pivot(key, make_set(value))\\n| extend ipaddr = todynamic(column_ifexists(\\\"ipaddr\\\", \\\"\\\"))\\n| mv-expand ipaddr\\n| project Id, InitiatingIPAddress = tostring(ipaddr)\\n| join kind=rightouter newlyElevated on Id\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = iff(isnotempty(tostring(InitiatedBy.user.ipAddress)), tostring(InitiatedBy.user.ipAddress), InitiatingIPAddress)\\n| extend ElevatedBy = iff(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName)\\n| extend ElevatedUser = TargetUserPrincipalName\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n| extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n| project-reorder ElevatedUser, ElevatedRole, ResultReason, ElevatedBy, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, TargetUserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account Elevated to New Role\",\"description\":\"Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\\n Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Low\",\"query\":\"REDACTED\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\\n Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.\\n As an example - ComputerList is an array that we check for a single value and write that into the HostName field for use in the entity mapping within Sentinel.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add =\\n(union isfuzzy=true\\n(SecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| parse EventData with * '\\\"MemberName\\\">' * '=' AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| parse EventData.MemberName with * '\\\"MemberName\\\">' * '=' AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n)\\n);\\nlet AC_Remove =\\n( union isfuzzy=true\\n(SecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| parse EventData with * '\\\"MemberName\\\">' * '=' AccountRemoved \\\",OU\\\" *\\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, AccountRemoved = tolower(AccountRemoved),\\nRemovingAccount, RemovingAccountLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| parse EventData.MemberName with * '\\\"MemberName\\\">' * '=' AccountRemoved \\\",OU\\\" *\\n| where isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend RemovedAccountLogonId= tostring(EventData.SubjectLogonId)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, AccountRemoved = tolower(AccountRemoved),\\nRemovingAccount, RemovedAccountLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n));\\nAC_Add\\n| join kind = inner AC_Remove \\non $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend DurationinSecondAfter_Removed = datetime_diff ('second', AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed > 0\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend RemovedAccountName = tostring(split(AccountRemoved, @\\\"\\\\\\\")[1]), RemovedAccountNTDomain = tostring(split(AccountRemoved, @\\\"\\\\\\\")[0])\\n| extend RemovingAccountName = tostring(split(RemovingAccount, @\\\"\\\\\\\")[1]), RemovingAccountNTDomain = tostring(split(RemovingAccount, @\\\"\\\\\\\")[0])\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountRemoved\"},{\"identifier\":\"Name\",\"columnName\":\"RemovedAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"RemovedAccountNTDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"RemovingAccount\"},{\"identifier\":\"Name\",\"columnName\":\"RemovingAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"RemovingAccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to a privileged group and then quickly removed, which could be a sign of compromise.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"Application\\\"\\n | extend targetDisplayName = tostring(TargetResource.displayName),\\n targetId = tostring(TargetResource.id),\\n targetType = tostring(TargetResource.type),\\n keyEvents = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = keyEvents on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend new_value_set = parse_json(tostring(Property.newValue)),\\n old_value_set = parse_json(tostring(Property.oldValue))\\n )\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage =~ \\\"Verify\\\"\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend Name = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet URLRegex = \\\"((https?|ftp|ldap|wss?|file):\\\\\\\\/\\\\\\\\/(([\\\\\\\\:\\\\\\\\%\\\\\\\\w\\\\\\\\_\\\\\\\\-]+(\\\\\\\\.|@))*((xn--)?[a-zA-Z0-9\\\\\\\\-]+\\\\\\\\.)+(xn--[a-z0-9]+|[A-Za-z]+)|\\\\\\\\d{1,3}\\\\\\\\.\\\\\\\\d{1,3}\\\\\\\\.\\\\\\\\d{1,3}\\\\\\\\.\\\\\\\\d{0,3})[.,:\\\\\\\\w@?^=%&\\\\\\\\/~+#-]*[\\\\\\\\w@?^=%&\\\\\\\\/~+#-])\\\";\\nlet SecurityEvents = materialize(SecurityAlert\\n | where TimeGenerated >= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == 'Azure Sentinel', true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | mv-expand parse_json(Entities)\\n | where isnotempty(Entities.Url) or isnotempty(Entities.Urls)\\n | extend Url = coalesce(Entities.Url, Entities.Urls)\\n | mv-expand Url\\n | extend Url = tolower(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated);\\nlet EventUrls = materialize(SecurityEvents | distinct Url | summarize make_list(Url));\\nThreatIntelligenceIndicator\\n| where isnotempty(Url)\\n| where TimeGenerated >= ago(ioc_lookBack)\\n| extend Url = tolower(Url)\\n| where tolower(Url) in (EventUrls)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\" \\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (SecurityEvents) on Url\\n| where Alert_TimeGenerated < ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project timestamp = Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Compromised_Host\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to SecurityAlert Data\",\"description\":\"This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in SecurityAlert data.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=dynamic([\\\"403\\\"]))\\n| extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\\n| where NumberOfErrors > error403_count_threshold\\n| sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"displayName\":\"Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * 'ProcessId\\\">' ProcessId \\\"<\\\" * 'Image\\\">' Image \\\"<\\\" * 'OriginalFileName\\\">' OriginalFileName \\\"<\\\" *\\n| where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with * 'ProcessGuid\\\">' ProcessGuid \\\"<\\\" * 'Description\\\">' Description \\\"<\\\" * 'CommandLine\\\">' CommandLine \\\"<\\\" * 'CurrentDirectory\\\">' CurrentDirectory \\\"<\\\" * 'User\\\">' User \\\"<\\\" * 'LogonGuid\\\">' LogonGuid \\\"<\\\" * 'Hashes\\\">' Hashes \\\"<\\\" * 'ParentProcessGuid\\\">' ParentProcessGuid \\\"<\\\" * 'ParentImage\\\">' ParentImage \\\"<\\\" * 'ParentCommandLine\\\">' ParentCommandLine \\\"<\\\" * 'ParentUser\\\">' ParentUser \\\"<\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessId, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(User, \\\"\\\\\\\\\\\")[1]), AccountNTDomain = tostring(split(User, \\\"\\\\\\\\\\\")[0])\\n| extend ImageFileName = tostring(split(Image, \\\"\\\\\\\\\\\")[-1])\\n| extend ImageDirectory = replace_string(Image, ImageFileName, \\\"\\\")\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"},{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImageFileName\"},{\"identifier\":\"Directory\",\"columnName\":\"ImageDirectory\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Modification of Accessibility Features\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\nTwo common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \\\"sticky keys\\\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\\nRef: https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds > TimeDeltaThreshold\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes)\\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents > TotalEventsThreshold and MostFrequentTimeDeltaCount > MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent > PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns.\\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing.\\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2024-11-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\")\\n| where ActivityStatusValue =~ \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\")\\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, ' , ', OperationNameValue1)\\n| extend Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only the expected users are using CloudShell.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50eb4cbd-188f-44f4-b964-bab84dcdec10\",\"name\":\"50eb4cbd-188f-44f4-b964-bab84dcdec10\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let timeframe = 1d;\\nlet time_window = 5m;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n| where EventID == 4688\\n| where Process has_any (\\\"java.exe\\\", \\\"javaw.exe\\\") and CommandLine has \\\"SysAidServer\\\" \\n| summarize by ParentProcessName,Process, Account, Computer, CommandLine, timekey= bin(TimeGenerated, time_window), TimeGenerated, SubjectLogonId\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n| where EventID == 4663\\n| where Process has_any (\\\"java.exe\\\", \\\"javaw.exe\\\")\\n| where AccessMask in ('0x2','0x100', '0x10', '0x4')\\n| where ObjectName endswith \\\".jsp\\\" \\n| summarize by ParentProcessName, Account, Computer, ObjectName, ProcessName, timekey= bin(TimeGenerated, time_window), TimeGenerated, SubjectLogonId)\\n on timekey, Computer, SubjectLogonId\\n),\\n(DeviceFileEvents \\n| where InitiatingProcessFileName has_any (\\\"java.exe\\\", \\\"javaw.exe\\\") \\n| where InitiatingProcessCommandLine has \\\"SysAidServer\\\" \\n| where FileName endswith \\\".jsp\\\" \\n| extend Account = strcat(InitiatingProcessAccountDomain, @'\\\\', InitiatingProcessAccountName), Computer = DeviceName\\n),\\n(imFileEvent\\n| where TimeGenerated > ago(timeframe)\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"java.exe\\\", \\\"javaw.exe\\\") \\n| where ActingProcessCommandLine has \\\"SysAidServer\\\" \\n| where FilePath endswith \\\".jsp\\\" \\n| extend Account = ActorUsername, Computer = DvcHostname\\n)\\n)\\n| extend AccountName = tostring(split(Account, @'\\\\')[1]), AccountNTDomain = tostring(split(Account, @'\\\\')[0])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Identify SysAid Server web shell creation\",\"description\":\"This query looks for potential webshell creation by the threat actor Mercury after the sucessful exploitation of SysAid server. \\nReference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated > ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type == \\\"User\\\"\\n | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))\\n )\\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated > ago(queryperiod)\\n | where OperationName =~ \\\"Add user\\\" \\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type == \\\"User\\\"\\n | extend UserPrincipalName = trim(@'\\\"',tostring(TargetResource.userPrincipalName))\\n )\\n | project-rename Creation_TimeGenerated = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletedByIPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95543d6d-f00d-4193-a63f-4edeefb7ec36\",\"name\":\"95543d6d-f00d-4193-a63f-4edeefb7ec36\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZincOctober2022IOCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet useragents = (iocs | where Type =~ \\\"useragent\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains) or SourceIP has_any (IPList) or DestinationIP has_any (IPList)\\n| parse Message with * '(' DNSName ')' *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend timestamp = TimeGenerated, AccountEntity = SourceUserID, UrlEntity = RequestURL , IPEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains) or IPAddresses has_any (IPList)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, HostEntity = Host, DNSCustomEntity = DNSName, IPEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains) or SourceIp has_any (IPList) or DestinationIp has_any (IPList)\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIp, HostEntity = Computer, ProcessEntity = ProcessName, DNSCustomEntity = DNSName\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP has_any (IPList) or DestinationIP has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountEntity = UserName, ProcessEntity = tostring(split(Image, '\\\\\\\\', -1)[-1]), HostEntity = Computer , IPEntity = DestinationIP\\n), \\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP has_any (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, HostEntity = DeviceName, UrlEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where Category =~ \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP has_any (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where Category =~ \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where DestinationHost has_any (domains) or SourceHost has_any (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * 'SHA256=' SHA256 '\\\",' *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostEntity = Computer , AccountEntity = UserName, ProcessEntity = tostring(split(Image, '\\\\\\\\', -1)[-1]), AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = SHA256\\n), \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = InitiatingProcessAccountName, ProcessEntity = InitiatingProcessFileName, AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = InitiatingProcessSHA256\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = RequestAccountName, ProcessEntity = InitiatingProcessFileName, AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = InitiatingProcessSHA256\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName , AccountEntity = InitiatingProcessAccountName, ProcessEntity = InitiatingProcessFileName, AlgorithmEntity = \\\"SHA256\\\", FileHashEntity = InitiatingProcessSHA256\\n),\\n(OfficeActivity\\n| where ClientIP has_any (IPList) or UserAgent has_any (useragents)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, AccountEntity = UserId\\n)\\n)\\n| extend HostName = tostring(split(HostEntity, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(HostEntity, '.'), 1, -1), '.'))\\n| extend Name = tostring(split(AccountEntity, '@', 0)[0]), UPNSuffix = tostring(split(AccountEntity, '@', 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022\",\"description\":\"Use Microsoft's up-to-date Threat Intelligence solution from the Content Hub to replace the deprecated query with outdated IoCs. Install it from: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsFirewallAma\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated >= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated >= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated >= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins\\n) on UserPrincipalName\\n| where TimeGenerated > TimeGenerated1 or isempty(TimeGenerated1)\\n| project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated >= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup\\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,'|', State, '|', City) \\n| summarize TimeGenerated = make_list(TimeGenerated,100), Status = make_list(Status,100), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Microsoft Entra ID SigninLogs to the Azure Portal. Many failed logon attempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6b652b4f-9810-4eec-9027-7aa88ce4db23\",\"name\":\"6b652b4f-9810-4eec-9027-7aa88ce4db23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where CommandLine has \\\"wmic computersystem get domain\\\" and ParentProcessName has \\\"dllhost.exe\\\"\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(DeviceProcessEvents \\n| where ProcessCommandLine has \\\"wmic computersystem get domain\\\" and InitiatingProcessFileName =~ \\\"dllhost.exe\\\" and InitiatingProcessCommandLine has \\\"dllhost.exe\\\"\\n| extend Account = strcat(InitiatingProcessAccountDomain, @'\\\\', InitiatingProcessAccountName), Computer = DeviceName\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @'\\\\')[1]), AccountNTDomain = tostring(split(Account, @'\\\\')[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Dev-0270 WMIC Discovery\",\"description\":\"The query below identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the environment.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5;\\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ > signin_threshold\\n| summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails)\\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Microsoft Entra ID logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == '200'\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools. This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2024-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | where triCount > triThreshold\\n | distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = _Im_WebSession\\n| where isnotempty(Url)\\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) > dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri's and/or >=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ > 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential communication from {{SrcIpAddr}} with a Domain Generation Algorithm (DGA) based host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)\",\"description\":\"This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA).\\nDGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime >= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime < ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime\\n| extend Name = tostring(split(Account, '@', 0)[0]), UPNSuffix = tostring(split(Account, '@', 1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments, these new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are usually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e95aef3-a1e0-4063-8e74-cd59aa59f245\",\"name\":\"6e95aef3-a1e0-4063-8e74-cd59aa59f245\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\\\"\\n| summarize\\n TimeGenerated = arg_max(TimeGenerated, Properties),\\n ActivityStatusValue = make_set(ActivityStatusValue, 5),\\n take_any(Caller, CallerIpAddress, OperationName, ResourceGroup, Resource)\\n by CorrelationId, _ResourceId, OperationNameValue\\n| extend ResourceHierarchy = split(_ResourceId, \\\"/\\\")\\n| extend MonitoredResourcePath = strcat_array(array_slice(ResourceHierarchy, 0, array_length(ResourceHierarchy)-5), \\\"/\\\")\\n| join kind=leftanti (\\n AzureActivity\\n | where OperationNameValue !~ \\\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\\\" and OperationNameValue endswith \\\"/DELETE\\\" and ActivityStatusValue has_any (\\\"Success\\\", \\\"Succeeded\\\")\\n | project _ResourceId\\n) on $left.MonitoredResourcePath == $right._ResourceId\\n| extend\\n Name = iif(Caller has \\\"@\\\", tostring(split(Caller, \\\"@\\\")[0]), \\\"\\\"),\\n UPNSuffix = iif(Caller has \\\"@\\\", tostring(split(Caller, \\\"@\\\")[1]), \\\"\\\"),\\n AadUserId = iif(Caller has \\\"@\\\", \\\"\\\", Caller)\\n| project TimeGenerated, Caller, CallerIpAddress, OperationNameValue, OperationName, ActivityStatusValue, ResourceGroup, MonitoredResourcePath, Resource, Properties, Name, UPNSuffix, AadUserId, _ResourceId, CorrelationId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"AadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Diagnostic settings removed from a resource\",\"description\":\"This query looks for diagnostic settings that are removed from a resource.\\nThis could indicate an attacker or malicious internal trying to evade detection before malicious act is performed.\\nIf the diagnostic settings are being deleted as part of a parent resource deletion, the event is ignores.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"GitHubAuditData\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, Repository\\n| extend Name = iif(Actor contains \\\"@\\\", split(Actor, \\\"@\\\")[0], Actor)\\n| extend UPNSuffix = iif(Actor contains \\\"@\\\", split(Actor, \\\"@\\\")[1], \\\"\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Actor\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn') and ProcessCommandLine has ('/tr \\\"wscript.exe') and ProcessCommandLine has ('\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\') and ProcessCommandLine has ('//e:VBScript //b\\\" /F')) or (ProcessCommandLine has ('wscript.exe C:\\\\\\\\Users\\\\\\\\') and ProcessCommandLine has ('.wav') and ProcessCommandLine has ('//e:VBScript //b') \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\"), AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn') and CommandLine has ('/tr \\\"wscript.exe') and CommandLine has ('\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\') and CommandLine has ('//e:VBScript //b\\\" /F')) or (CommandLine has ('wscript.exe C:\\\\\\\\Users\\\\\\\\') and CommandLine has ('.wav') and CommandLine has ('//e:VBScript //b'))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID, AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn') and ActingProcessCommandLine has ('/tr \\\"wscript.exe') and ActingProcessCommandLine has ('\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\') and ActingProcessCommandLine has ('//e:VBScript //b\\\" /F')) or (ActingProcessCommandLine has ('wscript.exe C:\\\\\\\\Users\\\\\\\\') and ActingProcessCommandLine has ('.wav') and ActingProcessCommandLine has ('//e:VBScript //b') \\n or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash, AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where (Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes)) or (CommandLine has ('schtasks.exe /CREATE /sc minute /mo 12 /tn') and CommandLine has ('/tr \\\"wscript.exe') and CommandLine has ('\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\') and CommandLine has ('//e:VBScript //b\\\" /F')) or (CommandLine has ('wscript.exe C:\\\\\\\\Users\\\\\\\\') and CommandLine has ('.wav') and CommandLine has ('//e:VBScript //b') or (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\\\\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1]), AlgorithmCustomEntity = \\\"SHA256\\\"\\n),\\n(DnsEvents\\n| where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = Fqdn, IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = QueryName, IPCustomEntity = SourceIp\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - Aqua Blizzard Actor IOCs - Feb 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"name\":\"d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let threshold = 3;\\nPulseConnectSecure\\n| where Messages contains \\\"Unauthenticated request url /dana-na/\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP\\n| where count_ > threshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"Source_IP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack\",\"description\":\"This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-05-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"let riskScoreCutoff = 3; //Adjust this score threshold based on volume of results. Activities identified as the most abnormal receive the highest scores (on a scale of 0-10)\\nSigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| extend UserPrincipalName = tolower(UserPrincipalName)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\" or additionalDetails_ has \\\"fraud\\\"\\n| summarize StartTime = min(TimeGenerated), EndTIme = max(TimeGenerated) by UserPrincipalName, UserId, AADTenantId, FailedIPAddress = IPAddress\\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\\n| join kind=leftouter (\\n IdentityInfo\\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled\\n | summarize\\n Tags = make_set(Tags, 1000),\\n GroupMembership = make_set(GroupMembership, 1000),\\n AssignedRoles = make_set(AssignedRoles, 1000),\\n UserType = make_set(UserType, 1000),\\n UserAccountControl = make_set(UserType, 1000)\\n by AccountUPN\\n | extend UserPrincipalName=tolower(AccountUPN)\\n) on UserPrincipalName\\n//Below it will be joined with BehaviorAnalytics table to the Failed IP Addresses\\n| join kind=leftouter (\\n BehaviorAnalytics\\n | where ActivityType in (\\\"FailedLogOn\\\", \\\"LogOn\\\")\\n | where isnotempty(SourceIPAddress)\\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserName\\n | project-rename FailedIPAddress = SourceIPAddress, Name = UserName\\n | summarize\\n MaxInvestigationScore = max(InvestigationPriority) // Only retrieve maximum Investigation Property score for both FailedIP and User\\n by FailedIPAddress, Name)\\non FailedIPAddress, Name // Joining on both IP and User so as to only return context associated with same user\\n| extend UEBARiskScore = MaxInvestigationScore\\n| project-away *1 // removing duplicate columns post outer join from output\\n| where UEBARiskScore > riskScoreCutoff\\n| sort by UEBARiskScore desc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies occurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results. \\nPlease note, MFA Failed logons from known IP ranges can be benign depending on the conditional access policies. In case of noisy behavior, consider tuning the source IP ranges or location filter after careful consideration\",\"lastUpdatedDateUTC\":\"2024-12-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\\\\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - Tarrask malware IOC - April 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated > ago(timeback) and TimeGenerated < ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated > ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts > 0\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Microsoft Entra ID Protection in order to show if the user conducting the action has any associated Microsoft Entra ID Protection alerts. You can also choose to filter this detection to only alert when the user also has Microsoft Entra ID Protection alerts associated with them.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b7643904-5081-4920-917e-a559ddc3448f\",\"name\":\"b7643904-5081-4920-917e-a559ddc3448f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let Threshold = 1;\\nAzureDiagnostics\\n| where Category =~ \\\"FrontDoorWebApplicationFirewallLog\\\"\\n| where action_s =~ \\\"AnomalyScoring\\\"\\n| where details_msg_s has \\\"XSS\\\"\\n| parse details_data_s with MessageText \\\"Matched Data:\\\" MatchedData \\\"AND \\\" * \\\"table_name FROM \\\" TableName \\\" \\\" *\\n| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData\\n| join kind = inner(\\nAzureDiagnostics\\n| where Category =~ \\\"FrontDoorWebApplicationFirewallLog\\\"\\n| where action_s =~ \\\"Block\\\") on trackingReference_s\\n| summarize URI_s = make_set(requestUri_s,100), Table = make_set(TableName,100), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s,100), Matched_Data = make_set(MatchedData,100), Detail_Data = make_set(details_data_s,100), Detail_Message = make_set(details_msg_s,100), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s\\n| where Total_TrackingReference >= Threshold\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URI_s\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIP_s\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Front Door Premium WAF - XSS Detection\",\"description\":\"Identifies a match for an XSS attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements.\\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)\",\"lastUpdatedDateUTC\":\"2023-12-20T00:00:00Z\",\"createdDateUTC\":\"2022-10-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.3\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles > 0\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"AzureID\",\"columnName\":\"_ResourceId\"}]}],\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/422ca2bf-598b-4872-82bb-5f7e8fa731e7\",\"name\":\"422ca2bf-598b-4872-82bb-5f7e8fa731e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| extend FileName=tostring(split(NewProcessName, @'\\\\')[(-1)]), ProcessCommandLine = CommandLine, InitiatingProcessFileName=ParentProcessName\\n| where (FileName =~ \\\"powershell.exe\\\" and ProcessCommandLine has_all(\\\"try\\\", \\\"Add-MpPreference\\\", \\\"-ExclusionPath\\\", \\\"ProgramData\\\", \\\"catch\\\")) or (FileName =~ 'powershell.exe' and ProcessCommandLine has_all('Add-PSSnapin', 'Get-Recipient', '-ExpandProperty', 'EmailAddresses', 'SmtpAddress', '-hidetableheaders') )\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, InitiatingProcessFileName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(DeviceProcessEvents \\n| where (FileName =~ \\\"powershell.exe\\\" and ((ProcessCommandLine has_all(\\\"try\\\", \\\"Add-MpPreference\\\", \\\"-ExclusionPath\\\", \\\"ProgramData\\\", \\\"catch\\\")) or (ProcessCommandLine has_all('Add-PSSnapin', 'Get-Recipient', '-ExpandProperty', 'EmailAddresses', 'SmtpAddress', '-hidetableheaders'))))\\nor ( InitiatingProcessFileName =~ 'powershell.exe' and (((InitiatingProcessCommandLine has_all('$file=', 'dllhost.exe', 'Invoke-WebRequest', '-OutFile')) or ((InitiatingProcessCommandLine has_all('$admins=', 'System.Security.Principal.SecurityIdentifier', 'Translate', '-split', 'localgroup', '/add', '$rdp='))))))\\n| extend Account = strcat(InitiatingProcessAccountDomain, @'\\\\', InitiatingProcessAccountName), Computer = DeviceName\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @'\\\\')[1]), AccountNTDomain = tostring(split(Account, @'\\\\')[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Exfiltration\",\"DefenseEvasion\"],\"displayName\":\"Dev-0270 Malicious Powershell usage\",\"description\":\"DEV-0270 heavily uses powershell to achieve their objective at various stages of their attack. To locate powershell related activity tied to the actor, Microsoft Sentinel customers can run the following query.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-09-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb8a9c1c-f532-4630-817c-1ecd8a60ed80\",\"name\":\"eb8a9c1c-f532-4630-817c-1ecd8a60ed80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has \\\"Delete partner specific cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"tenantId\\\"\\n | extend ExtTenantDeleted = trim('\\\"',tostring(Property.oldValue))\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Deleted\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Microsoft Entra ID Cross-tenant Access Settings.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated > ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated > ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this detection focuses on the creation of new self-hosted pools.\\nTo further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), as an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert\\n| where DisplayName has \\\"Potential malware uploaded to\\\"\\n| extend Entities = parse_json(Entities)\\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData\\n| where Entities['Type'] =~ \\\"ip\\\"\\n| extend AttackerIP = tostring(Entities['Address']), AttackerCountry = tostring(Entities['Location']['CountryName']);\\n//Parse the file data\\nlet FileData = alertData\\n| where Entities['Type'] =~ \\\"file\\\"\\n| extend MaliciousFileDirectory = tostring(Entities['Directory']), MaliciousFileName = tostring(Entities['Name']), MaliciousFileHashes = tostring(Entities['FileHashes']);\\n//Combine the File and IP data together\\nipData\\n| join (FileData) on VendorOriginalId\\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload\\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\")\\n| join (\\n union\\n StorageFileLogs,\\n StorageBlobLogs\\n //File upload operations\\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP\\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri\\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don't work\\n //We can work around this by making it an array then converting it to hex from an int\\n | extend base64Char = base64_decode_toarray(ResponseMd5)\\n | mv-expand base64Char\\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) < 2, strcat(\\\"0\\\", hexChar), hexChar)\\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\")\\n | summarize make_list(hexChar, 1000) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable\\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row\\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable)\\n | summarize UploadedFileInfo=make_list(p, 10000), FilesUploaded=count() by ClientIP\\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs\\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\"\\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\")\\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable)\\n | summarize DeletedFileInfo=make_list(p, 10000), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP\\n| mvexpand UploadedFileInfo\\n| extend LinkedMaliciousFileName = tostring(UploadedFileInfo.FileName)\\n| extend LinkedMaliciousFileHash = tostring(UploadedFileInfo.Md5Hash)\\n| extend HashAlgorithm = \\\"MD5\\\"\\n| project AlertTimeGenerated = TimeGenerated, LinkedMaliciousFileName, LinkedMaliciousFileHash, HashAlgorithm, AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"AttackerIP\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"LinkedMaliciousFileHash\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"This query identifies the additional files uploaded by the same IP address which triggered a malware alert for malicious content upload on Azure Blob or File Storage Container.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * '(' DNSName ')' *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\\\\\', -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AZFWDnsQuery\\n| where QueryName has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = QueryName, IPCustomEntity = SourceIp\\n),\\n(AZFWApplicationRule\\n| where Fqdn has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Fqdn, IPCustomEntity = SourceIp\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * 'SHA256=' SHA256 '\\\",' *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\\\\\', -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has 'reg add' and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has 'reg add' and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"[Deprecated] - Caramel Tsunami Actor IOC - July 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let query_frequency = 1h;\\nlet query_period = 2h;\\nAuditLogs\\n| where TimeGenerated > ago(query_period)\\n| where Category =~ \\\"ApplicationManagement\\\" and LoggedByService =~ \\\"Core Directory\\\"\\n| where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResource = TargetResources\\n| mv-expand modifiedProperty = TargetResource[\\\"modifiedProperties\\\"]\\n| where tostring(modifiedProperty[\\\"displayName\\\"]) == \\\"AppRole.Value\\\"\\n| extend PermissionGrant = tostring(modifiedProperty[\\\"newValue\\\"])\\n| where PermissionGrant has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| mv-apply modifiedProperty = TargetResource[\\\"modifiedProperties\\\"] on (\\n summarize modifiedProperties = make_bag(\\n bag_pack(tostring(modifiedProperty[\\\"displayName\\\"]),\\n bag_pack(\\\"oldValue\\\", trim(@'[\\\\\\\"\\\\s]+', tostring(modifiedProperty[\\\"oldValue\\\"])),\\n \\\"newValue\\\", trim(@'[\\\\\\\"\\\\s]+', tostring(modifiedProperty[\\\"newValue\\\"])))), 100)\\n)\\n| project\\n PermissionGrant_TimeGenerated = TimeGenerated,\\n PermissionGrant_OperationName = OperationName,\\n PermissionGrant_Result = Result,\\n PermissionGrant,\\n AppDisplayName = tostring(modifiedProperties[\\\"ServicePrincipal.DisplayName\\\"][\\\"newValue\\\"]),\\n AppServicePrincipalId = tostring(modifiedProperties[\\\"ServicePrincipal.ObjectID\\\"][\\\"newValue\\\"]),\\n PermissionGrant_InitiatedBy = InitiatedBy,\\n PermissionGrant_TargetResources = TargetResources,\\n PermissionGrant_AdditionalDetails = AdditionalDetails,\\n PermissionGrant_CorrelationId = CorrelationId\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated > ago(query_frequency)\\n | where Category =~ \\\"RoleManagement\\\" and LoggedByService =~ \\\"Core Directory\\\" and AADOperationType =~ \\\"Assign\\\"\\n | where isnotempty(InitiatedBy[\\\"app\\\"])\\n | mv-expand TargetResource = TargetResources\\n | mv-expand modifiedProperty = TargetResource[\\\"modifiedProperties\\\"]\\n | where tostring(modifiedProperty[\\\"displayName\\\"]) in (\\\"Role.DisplayName\\\", \\\"RoleDefinition.DisplayName\\\")\\n | extend RoleAssignment = tostring(modifiedProperty[\\\"newValue\\\"])\\n | where RoleAssignment contains \\\"Admin\\\"\\n | project\\n RoleAssignment_TimeGenerated = TimeGenerated,\\n RoleAssignment_OperationName = OperationName,\\n RoleAssignment_Result = Result,\\n RoleAssignment,\\n TargetType = tostring(TargetResources[0][\\\"type\\\"]),\\n Target = iff(isnotempty(TargetResources[0][\\\"displayName\\\"]), tostring(TargetResources[0][\\\"displayName\\\"]), tolower(TargetResources[0][\\\"userPrincipalName\\\"])),\\n TargetId = tostring(TargetResources[0][\\\"id\\\"]),\\n RoleAssignment_InitiatedBy = InitiatedBy,\\n RoleAssignment_TargetResources = TargetResources,\\n RoleAssignment_AdditionalDetails = AdditionalDetails,\\n RoleAssignment_CorrelationId = CorrelationId,\\n AppServicePrincipalId = tostring(InitiatedBy[\\\"app\\\"][\\\"servicePrincipalId\\\"])\\n ) on AppServicePrincipalId\\n| where PermissionGrant_TimeGenerated < RoleAssignment_TimeGenerated\\n| extend\\n TargetName = tostring(split(Target, \\\"@\\\")[0]),\\n TargetUPNSuffix = tostring(split(Target, \\\"@\\\")[1])\\n| project PermissionGrant_TimeGenerated, PermissionGrant_OperationName, PermissionGrant_Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, PermissionGrant_InitiatedBy, PermissionGrant_TargetResources, PermissionGrant_AdditionalDetails, PermissionGrant_CorrelationId, RoleAssignment_TimeGenerated, RoleAssignment_OperationName, RoleAssignment_Result, RoleAssignment, TargetType, Target, TargetName, TargetUPNSuffix, TargetId, RoleAssignment_InitiatedBy, RoleAssignment_TargetResources, RoleAssignment_AdditionalDetails, RoleAssignment_CorrelationId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AppDisplayName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"displayName\":\"Admin promotion after Role Management Application Permission Grant\",\"description\":\"This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"3.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"..\\\",\\n\\\"..\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"// and not(EventData has \\\"0x3e4\\\")\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == 'Microsoft.IdentityServer.ServiceHost.exe'\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, '\\\\\\\\', -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == '7'\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA256=' SHA256 '\\\",' *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\\\\\', -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, '\\\\\\\\', FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * 'SHA256=' SHA256 '\\\",' *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\\\\\', -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == 'GET' and csUriStem has_any (GET_URI)) or (csMethod == 'POST' and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"[Deprecated] - Midnight Blizzard IOCs related to FoggyWeb backdoor\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f3e2d35f-1202-4215-995c-4654ef07d1d8\",\"name\":\"f3e2d35f-1202-4215-995c-4654ef07d1d8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let BEC_Keywords = dynamic([ 'invoice','payment','paycheck','transfer','bank statement','bank details','closing','funds','bank account','account details','remittance','purchase','deposit',\\\"PO#\\\",\\\"Zahlung\\\",\\\"Rechnung\\\",\\\"Paiement\\\", \\\"virement bancaire\\\",\\\"Bankuberweisung\\\",'hacked','phishing']);\\n// Adjust this threshold based on your environment\\nlet sensitivity = 2.5;\\nlet Events = materialize(AWSCloudTrail\\n| where TimeGenerated between (ago(14d)..ago(0d))\\n| where UserIdentityAccountId != \\\"anonymous\\\"\\n| where EventSource startswith \\\"s3.\\\"\\n| where EventName =~ \\\"GetObject\\\"\\n| extend FilePath = tostring(parse_json(RequestParameters).key)\\n| where FilePath has_any(BEC_Keywords)\\n);\\nEvents\\n| summarize dcount(FilePath) by UserIdentityPrincipalid, bin(startofday(TimeGenerated), 1d)\\n| summarize CountOfDocs = make_list(dcount_FilePath, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserIdentityPrincipalid\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfDocs, sensitivity, -1, 'linefit')\\n| mv-expand CountOfDocs to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double),Score to typeof(double), Baseline to typeof(long)\\n| where Anomalies > 0\\n| project TimeStamp, CountOfDocs, Baseline, Score, Anomalies, UserIdentityPrincipalid\\n| join kind=inner(Events | extend TimeStamp = startofday(TimeGenerated)) on TimeStamp, UserIdentityPrincipalid\\n| extend Name = iif(UserIdentityUserName contains \\\"@\\\", split(UserIdentityUserName, \\\"@\\\")[0], UserIdentityUserName)\\n| extend UPNSuffix = iif(UserIdentityUserName contains \\\"@\\\", split(UserIdentityUserName, \\\"@\\\")[1], \\\"\\\")\\n| project-reorder TimeGenerated, UserIdentityType, UserIdentityPrincipalid, UserIdentityUserName, FilePath, EventName, UserAgent, SourceIpAddress, CountOfDocs, Baseline, Score\",\"customDetails\":{\"UserType\":\"UserIdentityType\",\"Event\":\"EventName\",\"UserAgent\":\"UserAgent\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FilePath\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Suspicious access of {{CountOfDocs}} BEC related documents in AWS S3 buckets by {{UserIdentityUserName}}\",\"alertDescriptionFormat\":\"This query looks for users (in this case {{UserIdentityUserName}}) with suspicious spikes in the number of files accessed (in this case {{CountOfDocs}})that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \\nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities.\\n\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Collection\"],\"displayName\":\"Suspicious access of BEC related documents in AWS S3 buckets\",\"description\":\"This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks.\\nThe query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \\nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2023-02-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", \\n \\\"primenuesty.com\\\" \\n ]);\\nlet SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA256=' SHA256 ',' * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Nylon Typhoon domains and hashes\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.4\",\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\n_Im_Dns(responsecodename='NXDOMAIN')\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ > threshold\\n| join kind=inner (_Im_Dns(responsecodename='NXDOMAIN')\\n ) on SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2023-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated > timeframe\\n| where EventType == 'Logon'\\n and EventResult == 'Success'\\n| where isnotempty(SrcGeoCountry)\\n| summarize\\n StartTime = min(TimeGenerated)\\n , EndTime = max(TimeGenerated)\\n , Vendors = make_set(EventVendor, 128)\\n , Products = make_set(EventProduct, 128)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n , Countries = make_set(SrcGeoCountry, 128)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries >= threshold\\n| where TargetUserType !in (\\\"Application\\\", \\\"Service\\\", \\\"System\\\", \\\"Other\\\", \\\"Machine\\\", \\\"ServicePrincipal\\\")\\n| extend\\n Name = iif(\\n TargetUsername contains \\\"@\\\"\\n , tostring(split(TargetUsername, '@', 0)[0])\\n , TargetUsername\\n ),\\n UPNSuffix = iif(\\n TargetUsername contains \\\"@\\\"\\n , tostring(split(TargetUsername, '@', 1)[0])\\n , \\\"\\\"\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2024-06-28T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"name\":\"ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let guids = dynamic([\\\"{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\",\\\"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\",\\\"{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\", \\\"{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\", \\\"{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\"]);\\n let mde_data = DeviceRegistryEvents\\n | where ActionType =~ \\\"RegistryValueSet\\\"\\n | where RegistryKey contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where RegistryKey has_any (guids)\\n | where RegistryValueData has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\";\\n let event_data = SecurityEvent\\n | where EventID == 4657\\n | where ObjectName contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where ObjectName has_any (guids)\\n | where NewValue has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\"\\n | extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectUserName, InitiatingProcessAccountDomain = SubjectDomainName;\\n union mde_data, event_data\\n | extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"RegistryKey\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessFileName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"InitiatingProcessAccountName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"COM Registry Key Modified to Point to File in Color Profile Folder\",\"description\":\"This query looks for changes to COM registry keys to point to files in C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This can be used to enable COM hijacking for persistence.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceRegistryEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlOriginal\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (domains)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = Fqdn\\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (domains)\\n| extend timestamp = TimeGenerated\\n| extend DNSName = QueryName\\n| extend IPCustomEntity = SourceIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * 'SHA256=' SHA256 '\\\",' *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"[Deprecated] - Midnight Blizzard - Domain, Hash and IP IOCs - May 2021\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d8b5a18-b7db-4c23-84a6-95febaf7e1e4\",\"name\":\"9d8b5a18-b7db-4c23-84a6-95febaf7e1e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Europium_September2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| parse Message with * '(' DNSName ')' * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\")\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress, HostEntity = Computer\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName, HostEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, File = tostring(split(Image, '\\\\\\\\', -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\"), \\nHostEntity = Computer, AccountName = tostring(split(UserName, @'\\\\')[1]), AccountDomain = tostring(split(UserName, @'\\\\')[0])\\n| extend InitiatingProcessAccount = UserName\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountDomain = tostring(split(UserId, \\\"@\\\")[1])\\n| extend InitiatingProcessAccount = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, \\nInitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, HostEntity = Computer, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostEntity = Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, IPEntity = IPAddress, HostEntity = Computer, Algorithm = \\\"SHA256\\\", FileHash = tostring(FileHash)\\n| extend AccountName = tostring(split(Account, @'\\\\')[1]), AccountDomain = tostring(split(Account, @'\\\\')[0])\\n| extend InitiatingProcessAccount = Account\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, \\nInitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain, \\nAlgorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, \\nInitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostEntity = DeviceName, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain, \\nAlgorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n| extend InitiatingProcessAccount = strcat(AccountDomain, \\\"\\\\\\\\\\\", AccountName)\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", dynamic([\\\"\\\", \\\"\\\"])), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostEntity = Computer, AccountName = tostring(split(UserName, @'\\\\')[1]), AccountUPNSuffix = tostring(split(UserName, @'\\\\')[0]), FileHash = tostring(Hashes[1])\\n| extend InitiatingProcessAccount = UserName\\n)\\n)\\n| extend HostName = tostring(split(HostEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(HostEntity, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(HostEntity, DomainIndex + 1), HostEntity)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"Algorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHash\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Europium - Hash and IP IOCs - September 2022\",\"description\":\"Identifies a match across various data feeds for hashes and IP IOC related to Europium\\n Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"name\":\"f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let known_locations = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | summarize by LocationDetail);\\nlet known_asn = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\nSigninLogs\\n| where TimeGenerated > ago(1d)\\n| where ResultType == 0\\n| where isempty(DeviceDetail.deviceId)\\n| where AuthenticationRequirement == \\\"singleFactorAuthentication\\\"\\n| extend LocationParsed = parse_json(LocationDetails), DeviceParsed = parse_json(DeviceDetail)\\n| extend City = tostring(LocationParsed.city), State = tostring(LocationParsed.state)\\n| extend LocationDetail = strcat(Location, \\\"-\\\", State)\\n| extend DeviceId = tostring(DeviceParsed.deviceId), DeviceName=tostring(DeviceParsed.displayName), OS=tostring(DeviceParsed.operatingSystem), Browser=tostring(DeviceParsed.browser)\\n| where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\\n| project TimeGenerated, Type, UserId, UserDisplayName, UserPrincipalName, IPAddress, Location, State, City, ResultType, ResultDescription, AppId, AppDisplayName, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, ClientAppUsed, Identity, HomeTenantId, ResourceTenantId, Status, UserAgent, DeviceId, DeviceName, OS, Browser, MfaDetail\\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"AppId\"},{\"identifier\":\"Name\",\"columnName\":\"AppDisplayName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous Single Factor Signin\",\"description\":\"Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2024-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cfc1ae62-db63-4a3e-b88b-dc04030c2257\",\"name\":\"cfc1ae62-db63-4a3e-b88b-dc04030c2257\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"// change the starttime value for a longer period of known OIDs\\nlet starttime = 1d;\\n// change the lookback value for a longer period of lookback for suspicious/abnormal\\nlet lookback = 1h;\\nlet OIDList = SecurityEvent\\n| where TimeGenerated >= ago(starttime)\\n| where EventSourceName == 'AD FS Auditing'\\n| where EventID == 501\\n| where EventData has '/eku'\\n| extend OIDs = extract_all(@\\\"([\\\\d+\\\\.]+)\\\", EventData)\\n| mv-expand OIDs\\n| extend OID = tostring(OIDs)\\n| extend OID_Length = strlen(OID)\\n| project TimeGenerated, Computer, EventSourceName, EventID, OID, OID_Length, EventData\\n;\\nOIDList\\n| where TimeGenerated >= ago(lookback)\\n| join kind=leftanti (\\nOIDList\\n| where TimeGenerated between (ago(starttime) .. ago(lookback))\\n| summarize by OID\\n) on OID\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"AD FS Abnormal EKU object identifier attribute\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious object identifiers (OIDs) as part EventID 501 and specifically part of the Enhanced Key Usage attributes.\\nThis query checks to see if you have any new OIDs in the last hour that have not been seen in the previous day. New OIDs should be validated and OIDs that are very long, as indicated\\nby the OID_Length field, could also be an indicator of malicious activity.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReferences:\\nhttps://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/\\nhttps://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging\\n\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"REDACTED\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, potentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device that is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\\n| extend AddingUserAccountName = tostring(split(AddingUser, \\\"@\\\")[0]), AddingUserAccountUPNSuffix = tostring(split(AddingUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"},{\"identifier\":\"Name\",\"columnName\":\"AddingUserAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AddingUserAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of users granted these permissions should be small. Note that permissions can also be granted via Microsoft Entra ID Protection groups and monitoring of these should also be conducted.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\")\\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\"\\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535))\\n| where Computer != \\\"\\\"\\n| where ipv4_is_private(DestinationIP) == false\\n| extend Reason = coalesce(\\n column_ifexists(\\\"Reason\\\", \\\"\\\"),\\n extract(\\\"reason=(.+?)(;|$)\\\", 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out.\\n| where Reason !has \\\"aged-out\\\"\\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\"\\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\"\\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\"\\n// Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ >= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which results in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication of internal to external port scanning or probing attack.\\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2024-11-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af435ca1-fb70-4de1-92c1-7435c48482a9\",\"name\":\"af435ca1-fb70-4de1-92c1-7435c48482a9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let admin_asn = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by AutonomousSystemNumber);\\n let admin_locations = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by Location);\\n let admin_devices = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where isnotempty(deviceId)\\n | summarize by deviceId);\\n SigninLogs\\n | where TimeGenerated > ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentications of Privileged Accounts Outside of Expected Controls\",\"description\":\"Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Low\",\"query\":\"REDACTED\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let log4jioc = dynamic([\\\"jndi\\\",\\\"ldap\\\",\\\"${::\\\"]);\\nAzureDiagnostics\\n| where ResourceProvider == \\\"MICROSOFT.NETWORK\\\" and Category in (\\\"ApplicationGatewayFirewallLog\\\", \\\"FrontdoorWebApplicationFirewallLog\\\")\\n| extend details_data_s = column_ifexists(\\\"details_data_s\\\", tostring(AdditionalFields.details_data))\\n|where requestUri_s has_any (log4jioc) or details_message_s has_any (log4jioc) or details_data_s has_any (log4jioc)\\n| extend Malicious = iff(isnotempty( details_data_s),details_data_s,iff(isnotempty( requestUri_s),requestUri_s,\\\"\\\"))\\n|parse Malicious with * '${' MaliciousCommand '}' * \\n| extend EncodeCmd = iff(MaliciousCommand has 'Base64/', split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend EncodeCmd1 = iff(MaliciousCommand has 'base64/', split(split(MaliciousCommand, \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode/Doesn't need decoding\\\")\\n| project TimeGenerated, Target=column_ifexists(\\\"hostname_s\\\", tostring(AdditionalFields.hostname)), MaliciousHost = column_ifexists(\\\"clientIp_s\\\", tostring(AdditionalFields.clientIp)) , MaliciousCommand, details_data_s = column_ifexists(\\\"details_data_s\\\", tostring(AdditionalFields.details_data)), DecodedCmdLine, Message,\\nruleSetType_s = column_ifexists(\\\"ruleSetType_s\\\", tostring(AdditionalFields.ruleSetType)), OperationName, SubscriptionId, details_message_s = column_ifexists(\\\"details_message_s\\\", tostring(AdditionalFields.details_message)), \\ndetails_file_s = column_ifexists(\\\"details_message_s\\\", tostring(AdditionalFields.details_file))\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"MaliciousHost\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\\n Reference: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.2\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet BinTime = 1h;\\nlet RunTime = 1h;\\nlet StartTime = 1h; \\nlet sensitivity = 2.5;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(EndRunTime))\\n| where AppDisplayName =~ \\\"GitHub.com\\\"\\n| where ResultType != 0\\n| make-series FailedLogins = count() on TimeGenerated from ago(LearningPeriod) to ago(EndRunTime) step BinTime by UserPrincipalName, Type\\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(FailedLogins, sensitivity, -1, 'linefit')\\n| mv-expand FailedLogins to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long) \\n| where TimeGenerated >= ago(RunTime)\\n| where Anomalies > 0 and Baseline > 0\\n| join kind=inner (\\n table(tableName) \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | where AppDisplayName =~ \\\"GitHub.com\\\"\\n | where ResultType != 0\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddresses = make_set(IPAddress,100), Locations = make_set(LocationDetails,20), Devices = make_set(DeviceDetail,20) by UserPrincipalName, UserId, AppDisplayName\\n ) on UserPrincipalName\\n| project-away UserPrincipalName1\\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\\n| extend IPAddressFirst = tostring(IPAddresses[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddressFirst\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Microsoft Entra ID, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2024-04-05T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated > ago(1d)\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n // This will likely apply to multiple hosts so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\\n | extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = dynamic([\\\"CreatePolicy\\\", \\\"CreatePolicyVersion\\\"]);\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated >= ago(lookback)\\n| where EventName in (EventNameList) or EventName in (createPolicy)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 1)[0]), \\\"\\\");\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated >= ago(lookback)\\n| where EventName in (createPolicy)\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName, RecipientAccountId, AccountName, AccountUPNSuffix\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, RecipientAccountId, AccountName, AccountUPNSuffix, PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"AccountName\\\", AccountName, \\\"AccountUPNSuffix\\\", AccountUPNSuffix, \\\"RecipientAccountId\\\", RecipientAccountId, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress)\\n| project EventSource, PolicyName, AttachEvent, RecipientAccountId, AccountName, AccountUPNSuffix, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"DefenseEvasion\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html \\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\\n| extend HostName = tostring(split(CompromisedEntity, \\\".\\\")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AV detections related to Tarrask malware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel, the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged-on users etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.5\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = ThreatIntelligenceIndicator\\n | where TimeGenerated >= ago(ioc_lookBack)\\n // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n // Taking the first non-empty value based on potential IOC match availability\\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, \\\"NO_IP\\\")\\n // Picking up only IOC's that contain the entities we want\\n | where TI_ipEntity != \\\"NO_IP\\\"\\n // Exclude local addresses, using the ipv4_is_private operator\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now();\\nlet IP_TI_list = toscalar(IP_TI\\n | summarize NIoCs = dcount(TI_ipEntity), IoCs = make_set(TI_ipEntity)\\n | project IoCs = iff(NIoCs > HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind = innerunique (\\n _Im_WebSession (starttime = ago(dt_lookBack), srcipaddr_has_any_prefix = IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.SrcIpAddr\\n| where imNWS_TimeGenerated < ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated, *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\n TI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, Url, Type\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The IP {{SrcIpAddr}} of the web request matches an IP IoC\",\"alertDescriptionFormat\":\"The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the source IP address is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"name\":\"99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let core_domains = (SigninLogs\\n | where TimeGenerated > ago(7d)\\n | where ResultType == 0\\n | extend domain = tolower(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n let alternative_domains = (SigninLogs\\n | where TimeGenerated > ago(7d)\\n | where isnotempty(AlternateSignInName)\\n | where ResultType == 0\\n | extend domain = tolower(split(AlternateSignInName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n AuditLogs\\n | where TimeGenerated > ago(1d)\\n | where OperationName =~ \\\"Add User\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\\n | extend UserAddedDomain = case(\\n UserAdded has \\\"#EXT#\\\", tostring(split(tostring(split(UserAdded, \\\"#EXT#\\\")[0]), \\\"_\\\")[1]),\\n UserAdded !has \\\"#EXT#\\\", tostring(split(UserAdded, \\\"@\\\")[1]),\\n UserAdded)\\n | where UserAddedDomain !in (core_domains) and UserAddedDomain !in (alternative_domains)\\n | extend AddedByName = case(\\n InitiatingUserPrincipalName has \\\"#EXT#\\\", tostring(split(tostring(split(InitiatingUserPrincipalName, \\\"#EXT#\\\")[0]), \\\"_\\\")[0]),\\n InitiatingUserPrincipalName !has \\\"#EXT#\\\", tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]),\\n InitiatingUserPrincipalName)\\n | extend AddedByUPNSuffix = case(\\n InitiatingUserPrincipalName has \\\"#EXT#\\\", tostring(split(tostring(split(InitiatingUserPrincipalName, \\\"#EXT#\\\")[0]), \\\"_\\\")[1]),\\n InitiatingUserPrincipalName !has \\\"#EXT#\\\", tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1]),\\n InitiatingUserPrincipalName)\\n | extend UserAddedName = case(\\n UserAdded has \\\"#EXT#\\\", tostring(split(tostring(split(UserAdded, \\\"#EXT#\\\")[0]), \\\"_\\\")[0]),\\n UserAdded !has \\\"#EXT#\\\", tostring(split(UserAdded, \\\"@\\\")[0]),\\n UserAdded)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AddedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AddedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAdded\"},{\"identifier\":\"Name\",\"columnName\":\"UserAddedName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UserAddedDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account created from non-approved sources\",\"description\":\"This query looks for an account being created from a domain that is not regularly seen in a tenant.\\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\\n Created accounts should be investigated to confirm expected creation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\",\"lastUpdatedDateUTC\":\"2024-01-25T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Define the time range to look back for syslog data (1 hour)\\nlet ioc_lookBack = 14d; // Define the time range to look back for threat intelligence indicators (14 days)\\n// Create a list of top-level domains (TLDs) from the threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where isnotempty(DomainName)\\n | where TimeGenerated > ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now()\\n | extend parts = split(DomainName, '.')\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n// Fetch the latest active domain indicators from the threat intelligence data within the specified time range\\nlet Domain_Indicators = ThreatIntelligenceIndicator\\n | where isnotempty(DomainName)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now()\\n | extend TI_DomainEntity = DomainName;\\n// Join the threat intelligence indicators with syslog data on matching domain entities\\nDomain_Indicators\\n | join kind=innerunique (\\n Syslog\\n | where TimeGenerated > ago(dt_lookBack)\\n // Extract domain patterns from syslog messages\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, '.')\\n // Split out the top-level domain (TLD)\\n | extend tld = parts[(array_length(parts)-1)]\\n // Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n ) on $left.TI_DomainEntity==$right.domain\\n | where Syslog_TimeGenerated < ExpirationDateTime\\n // Retrieve the latest syslog timestamp for each indicator and domain combination\\n | summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated, *) by IndicatorId, domain\\n // Select the desired columns for the final result set\\n | project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url, Type, TI_DomainEntity\\n // Extract the hostname from the Computer field\\n | extend HostName = tostring(split(Computer, '.', 0)[0])\\n // Extract the DNS domain from the Computer field\\n | extend DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\\n // Assign the Syslog_TimeGenerated value to the timestamp field\\n | extend timestamp = Syslog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"HostIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"let discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n _Im_WebSession(url_has_any=discord, eventresult='Success')\\n | where Url has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\\n | extend AccountName = tostring(split(SourceUser, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SourceUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Discord CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. \\n Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @'\\\\')[1]), AccountNTDomain = tostring(split(Account, @'\\\\')[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * 'TargetObject\\\">' TargetObject \\\"<\\\" * 'Details\\\">' Details \\\"<\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\\n| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated > ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents < CurrThreshold\\n| join kind = leftanti (HistoricalThreats \\n| where TotalEvents > HistThreshold) on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Palo Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2024-11-07T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CefAma\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for VMConnection events\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\nThreatIntelligenceIndicator\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| where Action == true\\n| where TimeGenerated >= ago(ioc_lookBack)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now()\\n| join (\\n GitHubAudit\\n | where TimeGenerated >= ago(dt_lookBack)\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog\\n| where TimeGenerated >= ago(timeframe)\\n| where isempty(CommunicationDirection)\\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog\\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection)\\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec)\\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h\\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA1=' SHA1 ',' * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames)\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames) \\n| extend DNSName = Fqdn \\n| extend IPAddress = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPAddress = SourceIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"[Deprecated] - Known Granite Typhoon domains and hashes\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"// AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where EventID == '4656'\\n| where EventData has aadJoinRoot or EventData has aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| where ObjectType == 'Key'\\n| where ObjectName startswith aadJoinRoot and SubjectLogonId != '0x3e7' //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, '\\\\\\\\', -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == '4656'\\n | where EventData has keyTransportKey\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == 'Key'\\n | where ObjectName startswith keyTransportKey and SubjectLogonId != '0x3e7' //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, '\\\\\\\\', -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// Accessing Object\\n(\\nSecurityEvent\\n| where EventID == '4663'\\n| where ObjectType == 'Key'\\n| where (ObjectName startswith aadJoinRoot or ObjectName contains aadRegisteredRoot) and SubjectLogonId != '0x3e7' //Local System\\n| extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == '4663'\\n | where ObjectType == 'Key'\\n | where ObjectName has keyTransportKey and SubjectLogonId != '0x3e7' //Local System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts by the same process to registry keys that provide information about an Microsoft Entra ID joined or registered devices and Transport keys (tkpub / tkpriv).\\n This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate existing Microsoft Entra ID joined devices.\\n This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin (Microsoft Entra ID joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin (Microsoft Entra ID registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"Application\\\"\\n | extend targetDisplayName = tostring(TargetResource.displayName),\\n targetId = tostring(TargetResource.id),\\n targetType = tostring(TargetResource.type),\\n keyEvents = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = keyEvents on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend new_value_set = parse_json(tostring(Property.newValue)),\\n old_value_set = parse_json(tostring(Property.oldValue))\\n )\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where diff != \\\"[]\\\"\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage =~ \\\"Verify\\\"\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-03-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ae10c588-7ff7-486c-9920-ab8b0bdb6ede\",\"name\":\"ae10c588-7ff7-486c-9920-ab8b0bdb6ede\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Mercury_August2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * '(' DNSName ')' * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\")\\n| extend IPAddress = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\")\\n| extend AccountName = tostring(split(SourceUserID, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SourceUserID, \\\"@\\\")[1])\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend IPAddress = IPAddresses, DNSName = Name, Computer\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend IPAddress = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend AccountNT = UserName, File = tostring(split(Image, '\\\\\\\\', -1)[-1]), IPAddress = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend IPAddress = ClientIP, AccountUPN = UserId, AccountUPNName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessSHA256, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend IPAddress = RemoteIP, FileHash = InitiatingProcessSHA256\\n| extend AccountUPN = InitiatingProcessAccountName, AccountUPNName = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[1])\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend IPAddress = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) or DestinationHost has_any (domains) \\n| extend DNSName = DestinationHost, IPAddress = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| where msg_s has_any (IPList)\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" to \\\" TargetIP \\\":\\\" TargetPortInt:int *\\n| parse kind=regex flags=U msg_s with * \\\". Action\\\\\\\\: \\\" Action1a \\\"\\\\\\\\.\\\"\\n| parse msg_s with * \\\". Policy: \\\" Policy \\\". Rule Collection Group: \\\" RuleCollectionGroup \\\".\\\" *\\n| parse msg_s with * \\\" Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule \\n| extend IPAddress = SourceIP\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| where msg_s has_any (domains)\\n| parse msg_s with \\\"DNS Request: \\\" SourceIP \\\":\\\" SourcePortInt:int \\\" - \\\" QueryID:int \\\" \\\" RequestType \\\" \\\" RequestClass \\\" \\\" hostname \\\". \\\" protocol \\\" \\\" details\\n| extend\\n ResponseDuration = extract(\\\"[0-9]*.?[0-9]+s$\\\", 0, msg_s),\\n SourcePort = tostring(SourcePortInt),\\n QueryID = tostring(QueryID)\\n| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\\n| extend IPAddress = SourceIP\\n),\\n(AZFWApplicationRule\\n| where Fqdn has_any (domains) or Fqdn has_any (IPList)\\n| extend IPAddress = SourceIp\\n),\\n(AZFWDnsQuery\\n| where isnotempty(QueryName)\\n| where QueryName has_any (domains)\\n| extend DNSName = QueryName, IPAddress = SourceIp\\n),\\n(AZFWNetworkRule\\n| where DestinationIp has_any (IPList)\\n| extend IPAddress = SourceIp\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(FileHash), AccountUPN = SourceUserID, AccountUPNName = tostring(split(SourceUserID, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(SourceUserID, \\\"@\\\")[1])\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend AccountNT = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, AccountNT, IPAddress, CommandLine, FileHash, Algorithm = \\\"SHA256\\\"\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n| extend AccountUPN = InitiatingProcessAccountName, AccountUPNName = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[1])\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Algorithm = \\\"SHA256\\\", FileHash = tostring(InitiatingProcessSHA256), CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n| extend AccountUPN = InitiatingProcessAccountName, AccountUPNName = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(InitiatingProcessAccountName, \\\"@\\\")[1])\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", dynamic([\\\"\\\", \\\"\\\"])), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, AccountNT = UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), FileHash = tostring(Hashes[1]), Algorithm = tostring(Hashes[0])\\n)\\n)\\n| extend AccountNTName = tostring(split(AccountNT, \\\"\\\\\\\\\\\")[1]), AccountNTDomain = tostring(split(AccountNT, \\\"\\\\\\\\\\\")[0])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountUPNName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountNT\"},{\"identifier\":\"Name\",\"columnName\":\"AccountNTName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"Algorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHash\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Mercury - Domain, Hash and IP IOCs - August 2022\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOC related to Mercury\\n Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2022-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7808c05a-3afd-4d13-998a-a59e2297693f\",\"name\":\"7808c05a-3afd-4d13-998a-a59e2297693f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"REDACTED\",\"customDetails\":{\"LastObservedTime\":\"LastObservedTime\",\"AppName\":\"AppName\",\"NewCountryEvent\":\"NewCountryEvent\",\"PasswordResult\":\"PasswordResult\",\"AuthSucceeded\":\"AuthSucceeded\",\"failureReason\":\"failureReason\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"Domain\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"New country signIn with correct password\",\"description\":\"Identifies an interrupted sign-in session from a country the user has not sign-in before in the last 7 days, where the password was correct. Although the session is interrupted by other controls such as multi factor authentication or conditional access policies, the user credentials should be reset due to logs indicating a correct password was observed during sign-in.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-05-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.3\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( Event\\n| where TimeGenerated > ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, '\\\\\\\\', -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated > ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| where TimeGenerated > ago(timeframe+lookback)\\n| where EventID == 4688 and EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 4688\\n| where TimeGenerated > ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has 'wmiprvse.exe'\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any ('rundll32') \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[1])\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where TimeGenerated > ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where EventData has 'wmiprvse.exe' and EventData has_any ('rundll32') \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has 'wmiprvse.exe'\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any ('rundll32') \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[1])\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(WindowsEvent\\n| where TimeGenerated > ago(timeframe)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(UserName, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(UserName, \\\"\\\\\\\\\\\")[1])\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/22a320c2-e1e5-4c74-a35b-39fc9cdcf859\",\"name\":\"22a320c2-e1e5-4c74-a35b-39fc9cdcf859\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName=~ \\\"Update user\\\" \\n| where Result =~ \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName = tostring(TargetResources_modifiedProperties.displayName), \\nTargetUPN_oldValue = tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))[0]), \\nTargetUPN_newValue = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))[0])\\n| where displayName == \\\"UserPrincipalName\\\" and TargetUPN_oldValue !has \\\"#EXT\\\" and TargetUPN_newValue has \\\"#EXT\\\"\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n| summarize arg_max(TimeGenerated, *) by CorrelationId\\n| project-reorder TimeGenerated, InitiatedBy, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, TargetUPN_oldValue, TargetUPN_newValue\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n| extend TargetAccountName = tostring(split(TargetUPN_oldValue, \\\"@\\\")[0]), TargetUPNSuffix = tostring(split(TargetUPN_oldValue, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUPN_oldValue\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Suspicious linking of existing user to external User\",\"description\":\" This query will detect when an attempt is made to update an existing user and link it to an guest or external identity. These activities are unusual and such linking of external \\nidentities should be investigated. In some cases you may see internal Entra ID sync accounts (Sync_) do this which may be benign\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^']*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Silk Typhoon Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(AZFWNetworkRule\\n| where isnotempty(DestinationIp)\\n| where DestinationIp has_any (IPList) \\n| extend DestinationIP = DestinationIp \\n| extend IPCustomEntity = SourceIp\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (IPList) \\n| extend DestinationIP = Fqdn \\n| extend IPCustomEntity = SourceIp\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Known Plaid Rain IP\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWNetworkRule\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated > ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with reset invitation status\\\")\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatedBy = iff(isnotempty(InitiatingUserPrincipalName), InitiatingUserPrincipalName, InitiatingAppName)\\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend InvitedUser = tostring(TargetResource.userPrincipalName)\\n )\\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend\\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \\\"live.com#\\\", tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n | where TimeGenerated > ago(queryfrequency)\\n | where UserType != \\\"Member\\\"\\n | where AppId has_any // This web may contain a list of these apps: https://msshells.net/\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\",// Aadrm Admin Powershell\\n \\\"14d82eec-204b-4c2f-b7e8-296a70dab67e\\\",// Microsoft Graph PowerShell\\n \\\"9cee029c-6210-4654-90bb-17e6e9d36617\\\" // Power Platform CLI - pac\\\"\\n )\\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on parsedUser\\n| project InvitationTime, InitiatedBy, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\\n| extend InvitedUserName = tostring(split(InvitedUser,'@',0)[0]), InvitedUserUPNSuffix = tostring(split(InvitedUser,'@',1)[0]), \\n InitiatedByName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"},{\"identifier\":\"Name\",\"columnName\":\"InvitedUserName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InvitedUserUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"External guest invitation followed by Microsoft Entra ID PowerShell signin\",\"description\":\"By default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guest users, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.5\",\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| extend HostName = tostring(split(Dvc, \\\".\\\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2024-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25a7f951-54b7-4cf5-9862-ebc04306c590\",\"name\":\"25a7f951-54b7-4cf5-9862-ebc04306c590\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let known_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | summarize by InitiatingUserPrincipalName);\\n AuditLogs\\n | where TimeGenerated > ago(1d)\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppId = tostring(InitiatedBy.app.appId)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend CAPolicyName = tostring(TargetResources[0].displayName)\\n | where InitiatingUserPrincipalName !in (known_users)\\n | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue\\n | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, CAPolicyName, InitiatingAppId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, NewPolicyValues, OldPolicyValues\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"InitiatingAppId\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Conditional Access Policy Modified by New User\",\"description\":\"Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.\\n A threat actor may try to modify policies to weaken the security controls in place.\\n Investigate any change to ensure they are approved.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in~ (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @'\\\\')[1]), AccountNTDomain = tostring(split(Account, @'\\\\')[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services where the new objects contain potential webshell objects.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated,DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated\\n| extend CreatingUserAccountName = tostring(split(CreatingUser, \\\"@\\\")[0]), CreatingUserAccountUPNSuffix = tostring(split(CreatingUser, \\\"@\\\")[1])\\n| extend DeletingUserAccountName = tostring(split(DeletingUser, \\\"@\\\")[0]), DeletingUserAccountUPNSuffix = tostring(split(DeletingUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUser\"},{\"identifier\":\"Name\",\"columnName\":\"CreatingUserAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"CreatingUserAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"},{\"identifier\":\"Name\",\"columnName\":\"DeletingUserAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"DeletingUserAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CreatingIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, or to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines created and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\")\\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\")\\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\")\\n| where EnforceLogin == 'false' or EnforceLoginDomain == 'false' or GuestAlerts == 'false'\\n| extend SettingChanged = case(EnforceLogin == 'false' and EnforceLoginDomain == 'false' and GuestAlerts == 'false', \\\"All settings changed\\\",\\n EnforceLogin == 'false' and EnforceLoginDomain == 'false', \\\"Enforced Logons and Restricted Domains Changed\\\",\\n EnforceLoginDomain == 'false' and GuestAlerts == 'false', \\\"Enforced Domains Changed\\\",\\n EnforceLoginDomain == 'false', \\\"Enfored Domains Changed\\\",\\n GuestAlerts == 'false', \\\"Guest Join Alerts Changed\\\",\\n EnforceLogin == 'false', \\\"Enforced Logins Changed\\\",\\n \\\"No Changes\\\")\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.6\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\" \\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\"\\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend AccountName = iff(UserId contains '@', tostring(split(UserId, '@')[0]), UserId)\\n| extend AccountUPNSuffix = iff(UserId contains '@', tostring(split(UserId, '@')[1]), '')\\n| extend AccountName = iff(UserId contains '\\\\\\\\', tostring(split(UserId, '\\\\\\\\')[1]), AccountName)\\n| extend AccountNTDomain = iff(UserId contains '\\\\\\\\', tostring(split(UserId, '\\\\\\\\')[0]), '')\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog Disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet binaryTypes = dynamic(['zip', 'octet-stream', 'java-archive', 'rar', 'tar', 'x-7z-compressed', 'x-msdownload', 'portable-executable']);\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'inbound'\\n| where FilterDisposition !in ('reject', 'discard')\\n| extend attachedMimeType = tostring(todynamic(MsgParts)[0]['detectedMime'])\\n| where attachedMimeType has_any (binaryTypes)\\n| project SrcUserUpn, AccountCustomEntity = tostring(parse_json(DstUserUpn)[0]), attachedMimeType, MsgHeaderSubject\\n| extend Name = tostring(split(AccountCustomEntity, \\\"@\\\")[0]), UPNSuffix = tostring(split(AccountCustomEntity, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email received with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"name\":\"ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"// Add the environments expected username format regex below before deploying\\nlet user_regex = \\\"\\\";\\nAuditLogs\\n| where OperationName =~ \\\"Add user\\\"\\n| where Result =~ \\\"success\\\"\\n| extend userAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n| extend AddedUser = tostring(TargetResources[0].userPrincipalName)\\n| where AddedUser matches regex user_regex\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n| extend TargetAccountName = tostring(split(AddedUser, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(AddedUser, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Account Created Using Incorrect Naming Format\",\"description\":\"This query looks for accounts being created where the name does not match a defined pattern.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2023-12-30T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where TimeGenerated > ago(starttime)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles contains 'Admin' or GroupMembership has \\\"Admin\\\"\\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n | where anomalies > 0 and baseline > baselinethreshold\\n | extend AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated > startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated > startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop['Type']==\\\"process\\\", Extprop['CommandLine'], '')\\n| extend File = iff(Extprop['Type']==\\\"file\\\", Extprop['Name'], '')\\n| extend Account = Extprop['Name']\\n| extend Domain = Extprop['UPNSuffix']\\n| extend Account = iif(isnotempty(Domain) and Extprop['Type']==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop['Type']==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop['Address'], '')\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId == $right.Initiatedby\\n| extend AccountName = tostring(split(Initiatedby, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Initiatedby, \\\"@\\\")[1])\\n| project AADOperationType, ActivityDisplayName,AccountName, AccountUPNSuffix, Id,ResourceId,IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt\",\"description\":\"This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.\\nEnsure this impossible travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2024-11-20T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n | where TimeGenerated > ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, @'\\\\')[1]), AccountNTDomain = tostring(split(Account, @'\\\\')[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.4\",\"severity\":\"Medium\",\"query\":\"// Set threshold value for deviation\\nlet threshold = 25;\\n// Set the time range for the query\\nlet timeRange = 24h;\\n// Set the authentication window duration\\nlet authenticationWindow = 20m;\\n// Define a reusable function 'aadFunc' that takes a table name as input\\nlet aadFunc = (tableName: string) {\\n // Query the specified table\\n table(tableName)\\n // Filter data within the last 24 hours\\n | where TimeGenerated > ago(1d)\\n // Filter records related to \\\"Azure Portal\\\" applications\\n | where AppDisplayName has \\\"Azure Portal\\\"\\n // Extract and transform some fields\\n | extend\\n DeviceDetail = todynamic(DeviceDetail),\\n LocationDetails = todynamic(LocationDetails)\\n | extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser = tostring(DeviceDetail.browser),\\n State = tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n Region = tostring(LocationDetails.countryOrRegion)\\n // Categorize records as Success or Failure based on ResultType\\n | extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n // Sort and identify sessions\\n | sort by UserPrincipalName asc, TimeGenerated asc\\n | extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n // Summarize data\\n | summarize FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType, UserPrincipalName, SessionStartedUtc\\n | summarize FailureCountBeforeSuccess = sumif(FailureOrSuccessCount, FailureOrSuccess == \\\"Failure\\\"), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress, 15), make_set(Browser, 15), make_set(City, 15), make_set(State, 15), make_set(Region, 15), make_set(ResultType, 15) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\\n // Filter records where \\\"Success\\\" occurs in the middle of a session\\n | where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n | where array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) - 1\\n // Remove unnecessary columns from the output\\n | project-away SessionStartedUtc, list_FailureOrSuccess\\n // Join with another table and calculate deviation\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated > ago(7d)\\n | where AppDisplayName has \\\"Azure Portal\\\"\\n | extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n | summarize avgFailures = avg(todouble(FailureOrSuccess == \\\"Failure\\\")) by UserPrincipalName\\n ) on UserPrincipalName\\n | extend Deviation = abs(FailureCountBeforeSuccess - avgFailures) / avgFailures\\n // Filter records based on deviation and failure count criteria\\n | where Deviation > threshold and FailureCountBeforeSuccess >= 10\\n // Expand the IPAddress array\\n | mv-expand IPAddress\\n | extend IPAddress = tostring(IPAddress)\\n | extend timestamp = StartTime\\n};\\n// Call 'aadFunc' with different table names and union the results\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n// Additional transformation - Split UserPrincipalName\\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Detects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations.\\nRef: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2024-01-09T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = 'adfsadmin';\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated > ago(timeframe+lookback)\\n | where EventSourceName == 'AD FS Auditing'\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated > ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type 'http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation'\\n // for relying party '-' was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated > ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains 'identity/claims/name'\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists('@Name', \\\"\\\")), Value = column_ifexists('#text', \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == '%%14592' and Application == 'System'\\n | where DestAddress !in ('::1','0:0:0:0:0:0:0:1')\\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(ClaimsName, @'\\\\')[1]), AccountNTDomain = tostring(split(ClaimsName, @'\\\\')[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClaimsName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get correlated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates. In order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReferences:\\nhttps://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging\\nhttps://twitter.com/OTR_Community/status/1387038995016732672\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.5\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any ('NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)', 'NT AUTHORITY\\\\\\\\SYSTEM (w3wp)', 'devilfish-applicationaccount') and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend ClientIPOnly = tostring(extract_all(@'\\\\[?(::ffff:)?(?P(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?', dynamic([\\\"IPAddress\\\"]), ClientIP)[0])\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"AppId\",\"columnName\":\"AppId\"}]}],\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2024-03-18T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has (\\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"Application\\\"\\n | extend targetDisplayName = tostring(TargetResource.displayName),\\n targetId = tostring(TargetResource.id),\\n targetType = tostring(TargetResource.type),\\n keyEvents = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = keyEvents on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend new_value_set = parse_json(tostring(Property.newValue)),\\n old_value_set = parse_json(tostring(Property.oldValue))\\n )\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage =~ \\\"Verify\\\"\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend InitiatingUserAgent = tostring(AdditionalDetail.value)\\n )\\n| project-away new_value_set, old_value_set, TargetResource, Property, AdditionalDetail\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserAgent, \\ntargetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend Name = split(InitiatingUserPrincipalName, \\\"@\\\")[0], UPNSuffix = split(InitiatingUserPrincipalName, \\\"@\\\")[1]\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"targetDisplayName\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"REDACTED\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which\\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur\\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce02935c-cc67-4b77-9b96-93d9947e119a\",\"name\":\"ce02935c-cc67-4b77-9b96-93d9947e119a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"acrobatrelay.com\\\", \\\"finconsult.cc\\\", \\\"realmetaldns.com\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| where DNSName in~ (DomainNames) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n), \\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession (url_has_any=DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' * \\n| where isnotempty(DNSName) \\n| where DNSName in~ (DomainNames) \\n| extend IPAddress = RemoteIp \\n), \\n( \\n DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl has_any (DomainNames) \\n| extend IPAddress = RemoteIP \\n| extend Computer = DeviceName \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n) \\n) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"[Deprecated] - Denim Tsunami C2 Domains July 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Link\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\",\"PrivilegeEscalation\",\"DefenseEvasion\",\"CredentialAccess\",\"LateralMovement\"],\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2024-07-24T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * 'ObjectClass\\\">' ObjectClass \\\"<\\\" *\\n| parse EventData with * 'AttributeLDAPDisplayName\\\">' AttributeLDAPDisplayName \\\"<\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with * 'ObjectDN\\\">' ObjectDN \\\"<\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Possible Resource-Based Constrained Delegation Abuse\",\"description\":\"This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \\nThis query checks for event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-apply Property = modifiedProperties on \\n (\\n where Property.displayName =~ \\\"LiveType\\\"\\n | extend targetDisplayName = tostring(Property.displayName),\\n NewDomainValue = tostring(Property.newValue)\\n )\\n| extend Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| mv-expand AdditionalDetails\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, AADOperationType, targetDisplayName, Result, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend Name = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == '200'\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NRT Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"SyslogAma\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs\\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\\n// Fetch threat intelligence indicators related to IP addresses\\nlet IP_Indicators = ThreatIntelligenceIndicator\\n // Filter out indicators without relevant IP address fields\\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n | where TimeGenerated >= ago(ioc_lookBack)\\n // Select the IP entity based on availability of different IP fields\\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes\\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true and ExpirationDateTime > now();\\n// Perform a join between IP indicators and AzureDiagnostics logs to identify potential malicious activity\\nIP_Indicators\\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\\n | join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated >= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol 'request from ' SourceHost 'to ' DestinationHost @'\\\\.? Action: ' Firewall_Action @'\\\\.' Rest_msg\\n | extend SourceAddress = extract(@'([\\\\.0-9]+)(:[\\\\.0-9]+)?', 1, SourceHost)\\n | extend DestinationAddress = extract(@'([\\\\.0-9]+)(:[\\\\.0-9]+)?', 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n | where isnotempty(RemoteIP) // Filter out traffic involving public addresses only\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n )\\n on $left.TI_ipEntity == $right.RemoteIP\\n // Filter out logs that occurred after the expiration of the corresponding indicator\\n | where AzureFirewall_TimeGenerated < ExpirationDateTime\\n // Group the results by IndicatorId and RemoteIP, and keep the log entry with the latest timestamp\\n | summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\\n // Select the desired output fields\\n | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\n AzureFirewall_TimeGenerated, TI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol,\\n NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n // Rename the timestamp field\\n | extend timestamp = AzureFirewall_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"TI_ipEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2199398-8942-4b8c-91a9-b0a707c5d147\",\"name\":\"b2199398-8942-4b8c-91a9-b0a707c5d147\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend Hashes = todynamic(Hashes) | mv-expand Hashes\\n| where Hashes[0] =~ \\\"SHA256\\\" and Hashes[1] has_any (sha256Hashes)\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\\\\\', -1)[-1]), FileHashCustomEntity = tostring(Hashes[1])\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"[Deprecated] - Hive Ransomware IOC - July 2022\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName, 1000) by UserId\\n| where array_length(DeletedTeams) > max_delete_count\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68c0b6bb-6bd9-4ef4-9011-08998c8ef90f\",\"name\":\"68c0b6bb-6bd9-4ef4-9011-08998c8ef90f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Threshold = 3;\\nAzureDiagnostics\\n| where Category == \\\"ApplicationGatewayFirewallLog\\\"\\n| where action_s == \\\"Matched\\\"\\n| project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s\\n| join kind = inner(\\nAzureDiagnostics\\n| where Category == \\\"ApplicationGatewayFirewallLog\\\"\\n| where action_s == \\\"Blocked\\\"\\n| parse Message with MessageText 'Total Inbound Score: ' TotalInboundScore ' - SQLI=' SQLI_Score ',XSS=' XSS_Score ',RFI=' RFI_Score ',LFI=' LFI_Score ',RCE=' RCE_Score ',PHPI=' PHPI_Score ',HTTP=' HTTP_Score ',SESS=' SESS_Score '): ' Blocked_Reason '; individual paranoia level scores:' Paranoia_Score\\n| where Blocked_Reason contains \\\"SQL Injection Attack\\\" and toint(SQLI_Score) >=10 and toint(TotalInboundScore) >= 15) on transactionId_g\\n| extend Uri = strcat(hostname_s,requestUri_s)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g), Message = make_set(Message), Detail_Message = make_set(details_message_s), Detail_Data = make_set(details_data_s), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s, SQLI_Score, TotalInboundScore\\n| where Total_TransactionId >= Threshold\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Uri\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"clientIp_s\"}]}],\"tactics\":[\"DefenseEvasion\",\"Execution\",\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Application Gateway WAF - SQLi Detection\",\"description\":\"Identifies a match for SQL Injection attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement.\\n References: https://owasp.org/Top10/A03_2021-Injection/\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 5136 and EventData contains \\\"CN=AdminSDHolder,CN=System\\\"\\n| parse EventData with * 'ObjectDN\\\">' ObjectDN \\\"<\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend Name = tostring(split(SubjectAccount, \\\"\\\\\\\\\\\")[1]), NTDomain = tostring(split(SubjectAccount, \\\"\\\\\\\\\\\")[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AdminSDHolder Modifications\",\"description\":\"This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. \\nAdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.\\nThis query searches for the event id 5136 where the Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| where TimeGenerated >= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now();\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n | project Domains=iff(NIoCs > HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n | extend tld = tostring(split(domain, '.')[-1])\\n | extend Event_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated < ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where isnotempty(FileHashValue)\\n| where TimeGenerated >= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now();\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\\n| extend HostName = tostring(split(DeviceName, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'))\\n| extend Name = tostring(split(SourceUserName, '@', 0)[0]), UPNSuffix = tostring(split(SourceUserName, '@', 1)[0])\\n| extend timestamp = CommonSecurityLog_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.6\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| where TimeGenerated >= ago(ioc_lookBack)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now()\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated >= ago(dt_lookBack)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| where isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\\n| extend timestamp = SecurityEvent_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ >= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2022-12-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.3\",\"severity\":\"Medium\",\"query\":\"REDACTED\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcDvcIpAddr\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2023-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6988c32-4f3b-4a45-8313-b46b33061a74\",\"name\":\"b6988c32-4f3b-4a45-8313-b46b33061a74\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"Application\\\"\\n | extend targetDisplayName = tostring(TargetResource.displayName),\\n targetId = tostring(TargetResource.id),\\n targetType = tostring(TargetResource.type),\\n keyEvents = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = keyEvents on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend new_value_set = parse_json(tostring(Property.newValue)),\\n old_value_set = parse_json(tostring(Property.oldValue))\\n )\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\"\\n | mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend UserAgent = tostring(AdditionalDetail.value)\\n )\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-03-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/55073036-bb86-47d3-a85a-b113ac3d9396\",\"name\":\"55073036-bb86-47d3-a85a-b113ac3d9396\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let admins=(IdentityInfo\\n | where AssignedRoles contains \\\"admin\\\" or GroupMembership has \\\"Admin\\\"\\n | summarize by tolower(AccountUPN));\\n let known_asns = (\\n SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated > ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admins)\\n | where AutonomousSystemNumber !in (known_asns)\\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber\\n | extend AccountName = tostring(split(UserPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Privileged User Logon from new ASN\",\"description\":\"Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated > ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated > ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Silk Typhoon Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by Silk Typhoon actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet AuditEvents = materialize(AuditLogs\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated);\\nlet AuditUrls = AuditEvents | distinct Url = tolower(Url) | summarize make_list(Url);\\nThreatIntelligenceIndicator\\n| where isnotempty(Url)\\n| where TimeGenerated >= ago(ioc_lookBack)\\n| where tolower(Url) in (AuditUrls)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (AuditEvents) on Url\\n| where Audit_TimeGenerated < ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend AccountName = tostring(split(userPrincipalName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(userPrincipalName, \\\"@\\\")[1])\\n| extend HostName = tostring(split(TargetResourceDisplayName, \\\".\\\")[0]), DomainIndex = toint(indexof(TargetResourceDisplayName, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(TargetResourceDisplayName, DomainIndex + 1), TargetResourceDisplayName)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetResourceDisplayName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI Map URL Entity to AuditLogs\",\"description\":\"This query identifies any URL indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in AuditLogs.\",\"lastUpdatedDateUTC\":\"2024-09-12T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\\n | extend Name=tostring(split(TargetUserName, \\\"@\\\")[0]), UPNSuffix=tostring(split(TargetUserName, \\\"@\\\")[1])\\n | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop authentication attempts with a localhost source address, which can indicate a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated >= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend targetResourceName = tostring(TargetResource.displayName),\\n targetResourceID = tostring(TargetResource.id),\\n targetResourceType = tostring(TargetResource.type),\\n targetModifiedProp = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"ConsentContext.IsAdminConsent\\\"\\n | extend isAdminConsent = trim(@'\\\"',tostring(Property.newValue))\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"ConsentAction.Permissions\\\"\\n | extend Consent_Permissions = trim(@'\\\"',tostring(Property.newValue))\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"TargetId.ServicePrincipalNames\\\"\\n | extend Consent_ServicePrincipalNames = tostring(extract_all(@\\\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\\\",trim(@'\\\"',tostring(Property.newValue)))[0])\\n )\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated >= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend targetResourceName = tostring(TargetResource.displayName),\\n targetResourceID = tostring(TargetResource.id),\\n targetModifiedProp = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"KeyDescription\\\"\\n | extend Credential_KeyDescription = trim(@'\\\"',tostring(Property.newValue))\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"Included Updated Properties\\\"\\n | extend UpdatedProperties = trim(@'\\\"',tostring(Property.newValue))\\n )\\n| mv-apply Property = targetModifiedProp on \\n (\\n where Property.displayName =~ \\\"TargetId.ServicePrincipalNames\\\"\\n | extend Credential_ServicePrincipalNames = tostring(extract_all(@\\\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\\\",trim(@'\\\"',tostring(Property.newValue)))[0])\\n )\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent < TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, Name = tostring(split(Credential_InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(Credential_InitiatingUserOrApp,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"Consent_InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"name\":\"f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"DeviceFileEvents\\n | where ActionType =~ \\\"FileCreated\\\"\\n | where FolderPath has \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\\\\\\\\\" \\n | where FileName endswith \\\".exe\\\" or FileName endswith \\\".dll\\\"\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"PE file dropped in Color Profile Folder\",\"description\":\"This query looks for writes of PE files to C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.4\",\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename='NXDOMAIN', starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld > threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld > threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"name\":\"84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has_all (\\\"member to role\\\", \\\"add\\\")\\n | where Result =~ \\\"Success\\\"\\n | extend type_ = tostring(TargetResources[0].type)\\n | where type_ =~ \\\"ServicePrincipal\\\"\\n | where isnotempty(TargetResources)\\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatingUserPrincipalName),InitiatingUserPrincipalName, InitiatingAppName))\\n | extend ServicePrincipalName = tostring(TargetResources[0].displayName)\\n | extend ServicePrincipalId = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", '')\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | extend displayName = tostring(TargetResources_0_modifiedProperties.displayName), newValue = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where displayName == \\\"Role.DisplayName\\\" and newValue contains \\\"admin\\\"\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | extend TargetRole = newValue\\n | project-reorder TimeGenerated, ServicePrincipalName, ServicePrincipalId, InitiatedBy, TargetRole, InitiatingIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"ServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned Privileged Role\",\"description\":\"Detects a privileged role being added to a Service Principal.\\n Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend InitiatingProcessAccount = strcat(InitiatingProcessAccountDomain, \\\"\\\\\\\\\\\", InitiatingProcessAccountName)\\n| extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\\n| extend timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccount\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingProcessAccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"InitiatingProcessAccountDomain\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Entra ID PowerShell accessing non-Entra ID resources\",\"description\":\"This will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Microsoft Entra ID PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Microsoft Entra ID Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2024-04-05T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c1e9381-79dd-4ddf-9570-b73a1dc59fe0\",\"name\":\"9c1e9381-79dd-4ddf-9570-b73a1dc59fe0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"REDACTED\",\"customDetails\":{\"Score\":\"Score\",\"Baseline\":\"Baseline\",\"UserCount\":\"UserCount\",\"AppName\":\"AppName\",\"PasswordResult\":\"PasswordResult\",\"UserList\":\"UserList\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomaly Sign In Event from an IP\",\"description\":\"Identifies sign-in anomalies from an IP in the last hour, targeting multiple users where the password is correct after multiple attempts\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.7\",\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated >= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * 'TicketEncryptionType\\\">' TicketEncryptionType \\\"<\\\" *\\n| where TicketEncryptionType == '0x17'\\n| parse EventData with * 'TicketOptions\\\">' TicketOptions \\\"<\\\" *\\n| where TicketOptions == '0x40810000'\\n| parse EventData with * 'Status\\\">' Status \\\"<\\\" *\\n| where Status == '0x0'\\n| parse EventData with * 'ServiceName\\\">' ServiceName \\\"<\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| parse EventData with * 'TargetUserName\\\">' TargetUserName \\\"<\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * 'IpAddress\\\">::ffff:' ClientIPAddress \\\"<\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated >= ago(starttime)\\n| where EventID == 4769 and EventData has '0x17' and EventData has '0x40810000' and EventData has 'krbtgt'\\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType == '0x17'\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| where TicketOptions == '0x40810000'\\n| extend Status = tostring(EventData.Status)\\n| where Status == '0x0'\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress = tostring(EventData.IpAddress)\\n));\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName)\\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h < prev23hThreshold;\\nlet Kerbevent1h =\\nKerbevent\\n| where TimeGenerated >= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName)\\nby Computer, TargetUserName, TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h\\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h > prev1hThreshold\\n| project StartTime = min_TimeGenerated, EndTime = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions,\\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend TargetAccount = strcat(TargetDomainName, \\\"\\\\\\\\\\\", TargetUserName)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetAccount\"},{\"identifier\":\"Name\",\"columnName\":\"TargetUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"TargetDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment.\\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment.\\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains a hash of the Service account. This can then be used for offline cracking.\\nThis hunting query looks for accounts that are generating excessive requests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number of request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)['foo@bar.com', 'test@foo.com'];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)['Security.','Project.','AuditLog.','Extension.'];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)['Group.UpdateGroupMembership.Add','Library.ServiceConnectionExecuted','Pipelines.PipelineModified',\\n'Release.ReleasePipelineModified', 'Git.RefUpdatePoliciesBypassed'];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.11\",\"severity\":\"Medium\",\"query\":\"let riskScoreCutoff = 3; //Adjust this score threshold based on volume of results. Activities identified as the most abnormal receive the highest scores (on a scale of 0-10)\\nlet logonDiff = 10m; \\nlet aadFunc = (tableName:string)\\n{ \\ntable(tableName)\\n| where ResultType == \\\"0\\\"\\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\") // To remove false-positives, add more Apps to this array\\n// ---------- Fix for SuccessBlock to also consider IPv6\\n| extend SuccessIPv6Block = strcat(split(IPAddress, \\\":\\\")[0], \\\":\\\", split(IPAddress, \\\":\\\")[1], \\\":\\\", split(IPAddress, \\\":\\\")[2], \\\":\\\", split(IPAddress, \\\":\\\")[3])\\n| extend SuccessIPv4Block = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1])\\n// ------------------\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, SuccessLocation = Location, AppDisplayName, SuccessIPBlock = iff(IPAddress contains \\\":\\\", strcat(split(IPAddress, \\\":\\\")[0], \\\":\\\", split(IPAddress, \\\":\\\")[1]), strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1])), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\")\\n | where ResultDescription !~ \\\"Other\\\"\\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, FailedLocation = Location, AppDisplayName, ResultType, ResultDescription, Type \\n) on UserPrincipalName, AppDisplayName\\n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, SuccessLocation, AppDisplayName, FailedIPAddress, FailedLocation, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n| extend UserPrincipalName = tolower(UserPrincipalName)};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\\n// UEBA context below - make sure you have these 2 datatypes, otherwise the query will not work. If so, comment all that is below.\\n| join kind=leftouter (\\n IdentityInfo\\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled\\n | summarize\\n Tags = make_set(Tags, 1000),\\n GroupMembership = make_set(GroupMembership, 1000),\\n AssignedRoles = make_set(AssignedRoles, 1000),\\n UserType = make_set(UserType, 1000),\\n UserAccountControl = make_set(UserType, 1000)\\n by AccountUPN\\n | extend UserPrincipalName=tolower(AccountUPN)\\n) on UserPrincipalName\\n//Below it will be joined with BehaviorAnalytics table to the Failed IP Addresses\\n| join kind=leftouter (\\n BehaviorAnalytics\\n | where ActivityType in (\\\"FailedLogOn\\\", \\\"LogOn\\\")\\n | where isnotempty(SourceIPAddress)\\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserName\\n | project-rename FailedIPAddress = SourceIPAddress, Name = UserName\\n | summarize\\n MaxInvestigationScore = max(InvestigationPriority) // Only retrieve maximum Investigation Property score for both FailedIP and User\\n by FailedIPAddress, Name)\\non FailedIPAddress, Name // Joining on both IP and User so as to only return context associated with same user\\n| extend UEBARiskScore = MaxInvestigationScore\\n| project-away *1 // removing duplicate columns post outer join from output\\n| where UEBARiskScore > riskScoreCutoff\\n| sort by UEBARiskScore desc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). \\nUEBA added for context to gather all asoociated information assocaited with IP addressed initiating Faile Logon and affected user. \\nPlease note, Failed logons from known IP ranges can be benign depending on the conditional access policies. In case of noisy behavior, consider tuning the source IP ranges after careful consideration\",\"lastUpdatedDateUTC\":\"2024-08-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace's geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/188db479-d50a-4a9c-a041-644bae347d1f\",\"name\":\"188db479-d50a-4a9c-a041-644bae347d1f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"REDACTED\",\"customDetails\":{\"AWSUser\":\"UserIdentityArn\",\"UserAgent\":\"UserAgent\",\"AWSUserUPN\":\"CTUPN\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Successful AWS Console Login from IP Address Observed Conducting Password Spray\",\"description\":\"This query aims to detect instances of successful AWS console login events followed by multiple failed app logons alerts generated by Microsoft Cloud App Security or password spray alerts generated by Defender Products.\\n Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert. \\n The login is considered relevant if it originates from an IP address associated with potential attackers.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b51fe620-62ad-4ed2-9d40-5c97c0a8231f\",\"name\":\"b51fe620-62ad-4ed2-9d40-5c97c0a8231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n// Filtering alerts based on Microsoft product names\\n | where ProductName in (\\\"Microsoft 365 Defender\\\", \\\"Azure Active Directory\\\", \\\"Microsoft Defender Advanced Threat Protection\\\", \\\"Microsoft Cloud App Security\\\",\\\"Azure Active Directory Identity Protection\\\", \\\"Microsoft Defender ATP\\\")\\n// Narrowing down alerts to specific tactics\\n | where Tactics in(\\\"CredentialAccess\\\", \\\"InitialAccess\\\")\\n// Focusing on high-severity alerts\\n | where AlertSeverity == \\\"High\\\"\\n// Parsing and extending the 'Entities' column as JSON objects\\n | extend Entities = parse_json(Entities) \\n// Exploring IP entities within the alert entities\\n | mv-apply Entity = Entities on \\n ( \\n where Entity.Type == 'ip' \\n | extend EntityIp = tostring(Entity.Address) \\n ) \\n// Exploring account entities within the alert entities\\n | mv-apply Entity = Entities on \\n ( \\n where Entity.Type == 'account' \\n | extend AccountObjectId = tostring(Entity.AadUserId)\\n )\\n// Filtering out alerts with missing IP or account information\\n | where isnotempty(EntityIp) and isnotempty(AccountObjectId)\\n// Summarizing relevant fields for further analysis\\n | summarize \\n by \\n AlertName,\\n ProductName,\\n ProviderName,\\n AlertSeverity,\\n EntityIp,\\n Tactics,\\n Techniques,\\n AlertTime= bin(TimeGenerated, 1min),\\n AccountObjectId,\\n AlertTimeGenerated=TimeGenerated\\n// Joining with IdentityInfo to obtain additional account details\\n | join kind=inner (\\n IdentityInfo\\n | where TimeGenerated >= ago(1d)\\n | distinct AccountObjectId, AccountUPN=tolower(AccountUPN)\\n )\\n on AccountObjectId \\n |extend Name = tostring(split(AccountUPN,'@')[0]), UPNSuffix =tostring(split(AccountUPN,'@')[1])\\n// Joining with AWSCloudTrail data to correlate AWS console logins\\n | join kind=inner (\\n AWSCloudTrail\\n | where EventName == \\\"ConsoleLogin\\\"\\n | extend CTUPN= tolower(tostring(tolower(split(UserIdentityArn, \\\"/\\\", 2)[0])))\\n | extend ActionType= tostring(parse_json(ResponseElements).ConsoleLogin) \\n | where ActionType == \\\"Success\\\"\\n | extend AWSTime= bin(TimeGenerated, 1min)\\n | project\\n EventName,\\n EventSource,\\n EventTypeName,\\n RecipientAccountId,\\n ResponseElements,\\n SessionMfaAuthenticated,\\n SourceIpAddress,\\n TimeGenerated,\\n UserAgent,\\n UserIdentityArn,\\n UserIdentityType,\\n CTUPN,\\n AWSTime,\\n UserIdentityUserName\\n )\\n on $left.EntityIp == $right.SourceIpAddress \\n// Filtering login event after the Alert generation time\\n | where AlertTimeGenerated >= AWSTime\\n// Calculating the time difference between alert generation and AWS login\\n | extend timediff = datetime_diff('minute', AlertTimeGenerated, TimeGenerated) \\n// Filtering alerts with a time difference of up to 60 minutes\\n | where timediff between ((-60)..(60))\",\"customDetails\":{\"AWSUSerUPN\":\"CTUPN\",\"AzureUserUPN\":\"AccountUPN\",\"ComonIp\":\"SourceIpAddress\",\"UserAgent\":\"UserAgent\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Suspicious AWS console logins by credential access alerts\",\"description\":\"This query aims to detect instances of successful AWS console logins that align with high-severity credential access or Initial Access alerts generated by Defender Products.\\n Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert. The login is considered relevant if it originates from an IP address associated with potential attackers.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2023-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.7\",\"severity\":\"Low\",\"query\":\"let timeRange = 2h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated > ago(timeRange)\\n| where EventID in (4624, 4625)\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 10 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by bin(TimeGenerated, 10m), Account, IpAddress, Computer, Outcome\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by TimeGenerated asc, Account, IpAddress, Computer, Outcome, OutcomeCount\\n| serialize\\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), make_list(Outcome, 128), make_set(Computer, 128), make_set(IpAddress, 128) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome\\n// where the number of failures before the success is above the threshold\\n| where FailureCountBeforeSuccess >= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mv-expand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, NTDomain = split(Account, '\\\\\\\\', 0)[0], Name = split(Account, '\\\\\\\\', 1)[0], HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication within a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or possible mis-configuration of a service account within an environment.\\nThe lookback is set to 2h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum of 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"// https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html \\nAWSGuardDuty \\n// Parse the finding\\n// https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-format.html \\n// Example: \\\"ThreatPurpose:ResourceTypeAffected/ThreatFamilyName.DetectionMechanism!Artifact\\\"\\n| extend findingTokens = split(ActivityType, \\\":\\\")\\n| extend ThreatPurpose=findingTokens[0], findingTokens=split(findingTokens[1], \\\"/\\\")\\n| extend ResourceTypeAffected=findingTokens[0], findingTokens= split(findingTokens[1], \\\".\\\")\\n| extend ThreatFamilyName=findingTokens[0], findingTokens=split(findingTokens[1], \\\"!\\\")\\n| extend DetectionMechanism=findingTokens[0], Artifact=findingTokens[1]\\n// Assign severity level\\n// https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_findings-severity\\n| extend Severity = \\n case (\\n Severity >= 7.0, \\\"High\\\",\\n Severity between (4.0 .. 6.9), \\\"Medium\\\",\\n Severity between (1.0 .. 3.9), \\\"Low\\\",\\n \\\"Unknown\\\"\\n )\\n// Pull out any available resource details we can extract entities from. These may not exist in the alert.\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_Resource.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AccessKeyDetails.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RdsDbUserDetails.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesDetails.html \\n| extend AccessKeyDetails=ResourceDetails.accessKeyDetails\\n| extend RdsDbUserDetails=ResourceDetails.rdsDbUserDetails\\n| extend KubernetesDetails=ResourceDetails.kubernetesDetails\\n// Pull out any available action details we can extract entities from. These may not exist in the alert.\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_Action.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AwsApiCallAction.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesApiCallAction.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_NetworkConnectionAction.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RdsLoginAttemptAction.html \\n| extend ServiceAction = \\n case(\\n isnotempty(ServiceDetails.action.awsApiCallAction), ServiceDetails.action.awsApiCallAction,\\n isnotempty(ServiceDetails.action.kubernetesApiCallAction), ServiceDetails.action.kubernetesApiCallAction,\\n isnotempty(ServiceDetails.action.networkConnectionAction), ServiceDetails.action.networkConnectionAction,\\n isnotempty(ServiceDetails.action.rdsLoginAttemptAction), ServiceDetails.action.rdsLoginAttemptAction,\\n dynamic(null)\\n )\\n// The IPv4 remote address of the connection\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RemoteIpDetails.html \\n// or\\n// The IP of the Kubernetes API caller and the IPs of any proxies or load balancers between the caller and the API endpoint \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesApiCallAction.html \\n| extend RemoteIpAddress = \\n coalesce(\\n tostring(ServiceAction.remoteIpDetails.ipAddressV4),\\n tostring(parse_json(ServiceAction.sourceIPs)[0])\\n )\\n// The IPv4 local address of the connection\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_LocalIpDetails.html \\n| extend LocalIpAddress = ServiceAction.localIpDetails.ipAddressV4\\n// The AWS account ID of the remote API caller.\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AwsApiCallAction.html \\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RemoteAccountDetails.html \\n| extend RemoteAWSAccountId = ServiceAction.remoteAccountDetails.accountId\\n// The IAM access key details (user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding\\n// https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AccessKeyDetails.html \\n| extend AccountUpn = \\n case(\\n AccessKeyDetails.userType == \\\"IAMUser\\\", AccessKeyDetails.userName,\\n AccessKeyDetails.userType == \\\"AssumedRole\\\", split(AccessKeyDetails.principalId, \\\":\\\", 1)[0],\\n isnotempty(RdsDbUserDetails.user), RdsDbUserDetails.user,\\n isnotempty(KubernetesDetails.kubernetesUserDetails.username), KubernetesDetails.kubernetesUserDetails.username,\\n \\\"\\\"\\n )\\n| extend AccountName = split(AccountUpn, \\\"@\\\", 0)[0]\\n| extend UPNSuffix = split(AccountUpn, \\\"@\\\", 1)[0]\\n// Clean up the output\\n| extend GuardDutyDetails =\\n bag_pack( \\n \\\"DetectorId\\\", ServiceDetails.detectorId,\\n \\\"Partition\\\", Partition,\\n \\\"Region\\\", Region\\n )\\n| extend FindingLink = \\n iff(\\n isnotempty(Region) and isnotempty(Id),\\n strcat(\\\"https://\\\", Region, \\\".console.aws.amazon.com/guardduty/home?region=\\\", Region, \\\"#/findings?fId=\\\", Id),\\n \\\"\\\"\\n )\\n| extend FindingLinkDescription = \\n iff(\\n isnotempty(FindingLink),\\n strcat(\\\"Link to GuardDuty finding (AWS): \\\", FindingLink),\\n \\\"\\\"\\n )\\n| project-rename \\n FindingArn=Arn,\\n FindingId=Id,\\n AWSAccountId=AccountId\\n| project-away \\n ActivityType, \\n findingTokens,\\n Partition,\\n Region, \\n SchemaVersion,\\n TimeGenerated,\\n Type\",\"customDetails\":{\"ThreatPurpose\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"ThreatFamilyName\":\"ThreatFamilyName\",\"DetectionMechanism\":\"DetectionMechanism\",\"Artifact\":\"Artifact\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"RemoteAWSAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"RemoteIpAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"LocalIpAddress\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"FindingLink\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{Title}}\",\"alertDescriptionFormat\":\"{{Description}}\",\"alertTacticsColumnName\":\"ThreatPurpose\",\"alertSeverityColumnName\":\"Severity\"},\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2024-03-27T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'proxylogs'\\n| where DvcAction =~ 'Allowed'\\n| extend file_ext = extract(@'.*(\\\\.\\\\w+)$', 1, UrlOriginal)\\n| extend Filename = extract(@'.*\\\\/*\\\\/(.*\\\\.\\\\w+)$', 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Identities\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2023-12-29T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue =~ 'Administrative'\\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\\n| where _ResourceId has 'AdFederationService'\\n| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/servicemembers/action'\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Microsoft Entra ID Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Microsoft Entra ID Hybrid Health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-premises AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet SecurityAlerts = SecurityAlert\\n| where TimeGenerated > ago(dt_lookBack)\\n| extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", dynamic([1]), tolower(Entities))))\\n| where isnotempty(domain)\\n| mv-expand domain\\n| extend domain = tostring(domain)\\n| extend EntitiesDynamicArray = parse_json(Entities)\\n| mv-apply EntitiesDynamicArray on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n| extend Alert_TimeGenerated = TimeGenerated\\n| extend Alert_Description = Description;\\nlet AlertDomains = SecurityAlerts\\n| distinct domain\\n| summarize make_list(domain);\\nlet Domain_Indicators = materialize(ThreatIntelligenceIndicator\\n| where isnotempty(DomainName)\\n| where TimeGenerated >= ago(ioc_lookBack)\\n| extend TI_DomainEntity = tolower(DomainName)\\n| where TI_DomainEntity in (AlertDomains)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true and ExpirationDateTime > now()\\n| where Description !contains_cs \\\"State: inactive;\\\" and Description !contains_cs \\\"State: falsepos;\\\");\\nDomain_Indicators\\n// Using innerunique to keep performance fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (SecurityAlerts) on $left.TI_DomainEntity == $right.domain\\n| where Alert_TimeGenerated < ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities, Type, TI_DomainEntity\\n| extend timestamp = Alert_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP_addr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2024-07-09T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftDefenderThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.4\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName));\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64-encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2024-03-13T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.4\",\"severity\":\"Medium\",\"query\":\"// Define a threshold for significant deviations\\nlet threshold = 25;\\n// Define the name for the SharePoint File Operation record type\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\n// Define an array of SharePoint operations of interest\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\n// Define the start and end time for the analysis period\\nlet starttime = 14d;\\nlet endtime = 1d;\\n// Define a baseline of normal user behavior\\nlet userBaseline = OfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize Count = count() by UserId, Operation, Site_Url, ClientIP\\n| summarize AvgCount = avg(Count) by UserId, Operation, Site_Url, ClientIP;\\n// Get recent user activity\\nlet recentUserActivity = OfficeActivity\\n| where TimeGenerated > ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), RecentCount = count() by UserId, UserType, Operation, Site_Url, ClientIP, OfficeObjectId, OfficeWorkload, UserAgent;\\n// Join the baseline and recent activity, and calculate the deviation\\nlet UserBehaviorAnalysis = userBaseline | join kind=inner (recentUserActivity) on UserId, Operation, Site_Url, ClientIP\\n| extend Deviation = abs(RecentCount - AvgCount) / AvgCount;\\n// Filter for significant deviations\\nUserBehaviorAnalysis\\n| where Deviation > threshold\\n| project StartTimeUtc, EndTimeUtc, UserId, UserType, Operation, ClientIP, Site_Url, OfficeObjectId, OfficeWorkload, UserAgent, Deviation, Count=RecentCount\\n| order by Count desc, ClientIP asc, Operation asc, UserId asc\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Site_Url\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies anomalies using user behavior by setting a threshold for significant changes in file upload/download activities from new IP addresses. It establishes a baseline of typical behavior, compares it to recent activity, and flags deviations exceeding a default threshold of 25.\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations above which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\n// Add or remove operation names below as per your requirements. For operations lists, please refer to https://learn.microsoft.com/en-us/Azure/role-based-access-control/resource-provider-operations#all\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue, bin(TimeGenerated,1d)\\n| where count_ >= alertOperationThreshold\\n// Returns all the records from the right side that don't have matches from the left\\n| join kind = rightanti (\\nSensitiveActivity\\n| where TimeGenerated >= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_list(TimeGenerated), ActivityStatusValue = make_list(ActivityStatusValue), CorrelationIds = make_list(CorrelationId), ResourceGroups = make_list(ResourceGroup), ResourceIds = make_list(_ResourceId), ActivityCountByCallerIPAddress = count()\\nby CallerIpAddress, Caller, OperationNameValue\\n| where ActivityCountByCallerIPAddress >= alertOperationThreshold\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. For example, this monitors for the operation name 'Create or Update Snapshot', which is used for creating backups but could be misused by attackers to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"let threshold = 3;\\nZoomLogs\\n| where Event =~ \\\"chat_message.sent\\\"\\n| extend Channel = tostring(parse_json(ChatEvents).Channel)\\n| extend Message = tostring(parse_json(ChatEvents).Message)\\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\"\\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels)\\n| where ChannelCount > threshold\\n| extend AccountName = tostring(split(User, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(User, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]}],\"tactics\":[\"Reconnaissance\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time.\\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2024-07-15T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"name\":\"0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName =~ \\\"Update role setting in PIM\\\"\\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\\n | project-reorder TimeGenerated, OperationName, ResultReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, InitiatingAccountName, InitiatingAccountUPNSuffix\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Changes to PIM Settings\",\"description\":\"PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\\n Monitor these changes to ensure they are being made legitimately and don't confer more privileges than expected or reduce the security of a PIM elevation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'outbound'\\n| where NetworkBytes > msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ > msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with large size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Silk Typhoon Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| where Events >= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\\nThis detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.5\",\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = 'FileUploaded';\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic(['exe', 'inf', 'gzip', 'cmd', 'bat']);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated >= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl, 100000), UserId = make_set(UserId, 100000) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount > threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId\\n| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])\\n| extend UserIdUserFolderFormat = tolower(replace_regex(UserId, '@|\\\\\\\\.', '_'))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true , false )\\n| summarize TimeGenerated = make_list(TimeGenerated, 100000), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated),\\nUserAgents = make_list(UserAgent, 100000), OfficeIds = make_list(OfficeId, 100000), SourceRelativeUrls = make_list(SourceRelativeUrl, 100000), FileNames = make_list(SourceFileName, 100000)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend AccountName = tostring(split(UserId, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(UserId, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Site_Url\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileNames\"}]}],\"tactics\":[\"CommandAndControl\",\"LateralMovement\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes 'exe', 'inf', 'gzip', 'cmd', 'bat' file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (SharePoint)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5;\\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ > signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins =\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 1)[0]), \\\"\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, RecipientAccountId, AccountName, AccountUPNSuffix, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number (defualt of 5) of failed logon attempts to Microsoft Entra ID.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2023-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName),\\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount >= threshold\\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2024-01-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']);\\nlet SHA256Hash = dynamic(['58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495','e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e','3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9', '0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4', '96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe','dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c', '46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a', '95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008', '9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5', '9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3', 'ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720', 'edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee', '33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998', '3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c', 'b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c', '53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5', '99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777', 'f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef', '2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da', '079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447']);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * 'SHA256=' SHA256 ',' * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames)\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP\\n),\\n(AZFWApplicationRule\\n| where isnotempty(Fqdn)\\n| where Fqdn has_any (DomainNames)\\n| extend DNSName = Fqdn \\n| extend IPAddress = SourceIp\\n),\\n(AZFWDnsQuery\\n| where QueryName has_any (DomainNames)\\n| extend DNSName = QueryName\\n| extend IPAddress = SourceIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"[Deprecated] - Known Diamond Sleet Comebacker and Klackring malware hashes\",\"description\":\"This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\",\"AZFWApplicationRule\",\"AZFWDnsQuery\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2149d9bb-8298-444c-8f99-f7bf0274dd05\",\"name\":\"2149d9bb-8298-444c-8f99-f7bf0274dd05\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SEABORGIUMIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet DomainNames = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * '(' DNSName ')' *\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n),\\n(_Im_WebSession (url_has_any=DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames)\\n| extend IPAddress = RemoteIP\\n| extend Computer = DeviceName\\n),\\n(EmailUrlInfo\\n| where Url has_any (DomainNames)\\n| join (EmailEvents\\n| where EmailDirection == \\\"Inbound\\\" ) on NetworkMessageId\\n| extend IPAddress = SenderIPv4\\n| extend Account = RecipientEmailAddress\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames)\\n| extend DNSName = DestinationHost\\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend AccountName = tostring(split(Account, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Account, \\\"@\\\")[1])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(Account, \\\"@\\\")[1])\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Star Blizzard C2 Domains August 2022\",\"description\":\"Identifies a match across various data feeds for domains related to an actor tracked by Microsoft as Star Blizzard.\",\"lastUpdatedDateUTC\":\"2024-06-25T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"EmailUrlInfo\",\"EmailEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82eb796-d1eb-43c8-a813-325ce3417cef\",\"name\":\"d82eb796-d1eb-43c8-a813-325ce3417cef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"union isfuzzy=true\\n (DeviceFileEvents\\n | where ActionType == \\\"FileCreated\\\"\\n | where FileName endswith \\\".h0lyenc\\\" or FolderPath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\"\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\\n by\\n AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain,\\n DeviceName,\\n Type,\\n InitiatingProcessId,\\n FileName,\\n FolderPath,\\n EventType = ActionType,\\n Commandline = InitiatingProcessCommandLine,\\n InitiatingProcessFileName,\\n InitiatingProcessSHA256,\\n FileHashCustomEntity = SHA256,\\n AlgorithmCustomEntity = \\\"SHA256\\\"\\n | extend HostName = tostring(split(DeviceName, \\\".\\\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\\n | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\\n ),\\n (imFileEvent\\n | where EventType == \\\"FileCreated\\\"\\n | where TargetFilePath endswith \\\".h0lyenc\\\" or TargetFilePath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\"\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\\n by\\n ActorUsername,\\n DvcHostname,\\n DvcDomain,\\n DvcId,\\n Type,\\n EventType,\\n FileHashCustomEntity = TargetFileSHA256,\\n Hash,\\n TargetFilePath,\\n Commandline = ActingProcessCommandLine,\\n AlgorithmCustomEntity = \\\"SHA256\\\"\\n | extend AccountName = tostring(split(ActorUsername, @'\\\\')[1]), AccountDomain = tostring(split(ActorUsername, @'\\\\')[0])\\n | extend HostName = DvcHostname, HostNameDomain = DvcDomain\\n | extend DeviceName = strcat(DvcHostname, \\\".\\\", DvcDomain )\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 File Extension Rename\",\"description\":\"Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs \\n| where TimeGenerated > ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove eligible member from role\\\") \\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend Target = tostring(TargetResource.userPrincipalName),\\n props = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim('\\\"',tostring(Property.oldValue))\\n )\\n| where RoleName =~ \\\"Global Administrator\\\" // Add other Privileged role if applicable\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target,100) by OperationName, RoleName, Initiator, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated > ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") and Result == \\\"success\\\" \\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend Target = tostring(TargetResource.userPrincipalName),\\n props = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = trim('\\\"',tostring(Property.newValue))\\n )\\n| where RoleName =~ \\\"Global Administrator\\\" // Add other Privileged role if applicable\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, tostring(InitiatedBy.user.userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result;\\nGlobalAdminsAdded \\n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime < RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) \\n| where NoofAdminsRemoved > 1\\n| project AddedGlobalAdminTime, Initiator, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, Target, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\\n| extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0])\\n| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"},{\"identifier\":\"Name\",\"columnName\":\"TargetName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatedByName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatedByUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple admin membership removals from newly created admin.\",\"description\":\"This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \\n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| mv-expand todynamic(Entities)\\n| extend HostName = iff(isnotempty(tostring(Extprop[\\\"Compromised Host\\\"])), tolower(tostring(Extprop[\\\"Compromised Host\\\"])), tolower(tostring(parse_json(Entities).HostName)))\\n| where isnotempty(HostName)\\n| mv-expand todynamic(split(HostName, ','))\\n| extend DnsDomain = iff(isnotempty(tostring(Extprop[\\\"Machine Domain\\\"])), tostring(Extprop[\\\"Machine Domain\\\"]), tostring(parse_json(Entities).DnsDomain))\\n| extend UserName = iff(isnotempty(tostring(Extprop[\\\"User Name\\\"])), tostring(Extprop[\\\"User Name\\\"]), iff(tostring(parse_json(Entities).Type) == 'account', tostring(parse_json(Entities).Name), ''))\\n| extend NTDomain = iff(isnotempty(tostring(Extprop[\\\"User Domain\\\"])), tostring(Extprop[\\\"User Domain\\\"]), tostring(parse_json(Entities).NTDomain))\\n| extend IpAddress = iff(tostring(parse_json(Entities).Type) == 'ip', tostring(parse_json(Entities).Address), tostring(parse_json(Extprop).[\\\"IpAddress\\\"]))\\n| summarize timestamp = arg_max(TimeGenerated, *) by AlertName, tostring(HostName)\\n| project timestamp, AlertName, UserName, NTDomain, tostring(HostName), DnsDomain, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], HostName=tolower(tostring(data[2])), DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, HostName, DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non HostName\\n| project timestamp, AlertName, HostName, DnsDomain, UserName, NTDomain, _ResourceId, IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"NTDomain\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Detect CoreBackUp Deletion Activity from related Security Alerts\",\"description\":\"The query identifies any efforts by an attacker to delete backup containers, while also searching for any security alerts that may be linked to the same activity, in order to uncover additional information about the attacker's actions.' \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2023-11-23T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftDefenderForCloudTenantBased\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"REDACTED\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in Microsoft Entra ID\",\"description\":\"Identifies distributed password cracking attempts from the Microsoft Entra ID SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2024-01-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, 'linefit')\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated > ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB > bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank < 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated > ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB > bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank < 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIPMax\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2024-04-11T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"Event\\n | where EventLog =~ \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n | parse EventData with * 'Image\\\">' Image \\\"<\\\" * 'CommandLine\\\">' CommandLine \\\"<\\\" * 'ParentImage\\\">' ParentImage \\\"<\\\" *\\n | where ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse EventData with * 'ProcessGuid\\\">' ProcessGuid \\\"<\\\" * 'Description\\\">' Description \\\"<\\\" * 'CurrentDirectory\\\">' CurrentDirectory \\\"<\\\" * 'User\\\">' User \\\"<\\\" * 'LogonGuid\\\">' LogonGuid \\\"<\\\" * 'ParentProcessGuid\\\">' ParentProcessGuid \\\"<\\\" * 'ParentImage\\\">' ParentImage \\\"<\\\" * 'ParentCommandLine\\\">' ParentCommandLine \\\"<\\\" * 'ParentUser\\\">' ParentUser \\\"<\\\" *\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\\n | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"DnsDomain\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Detecting Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\",\"lastUpdatedDateUTC\":\"2024-11-18T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.8\",\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\n// Function to resolve hostname to IP address using DNS logs or a lookup table (example syntax)\\nlet rdpConnections =\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend\\nFirstHop = bin(TimeGenerated, 1m),\\nFirstComputer = toupper(Computer),\\nFirstRemoteIPAddress = IpAddress,\\nAccount = tolower(Account)\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated >= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 // Labeling the first RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName), \\\"\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend\\nFirstHop = bin(TimeGenerated, 1m),\\nFirstComputer = toupper(Computer),\\nFirstRemoteIPAddress = IpAddress,\\nAccount = tolower(Account)\\n))\\n| join kind=inner (\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend\\nSecondHop = bin(TimeGenerated, 1m),\\nSecondComputer = toupper(Computer),\\nSecondRemoteIPAddress = IpAddress,\\nAccount = tolower(Account)\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated >= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10 // Labeling the second RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName), \\\"\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend\\nSecondHop = bin(TimeGenerated, 1m),\\nSecondComputer = toupper(Computer),\\nSecondRemoteIPAddress = IpAddress,\\nAccount = tolower(Account)\\n))\\n)\\non Account\\n| distinct\\nAccount,\\nFirstHop,\\nFirstComputer,\\nFirstRemoteIPAddress,\\nSecondHop,\\nSecondComputer,\\nSecondRemoteIPAddress,\\nAccountType,\\nActivity,\\nLogonTypeName,\\nProcessName;\\n// Resolve hostnames to IP addresses device network Ip's\\nlet listOfFirstComputer = rdpConnections | distinct FirstComputer;\\nlet listOfSecondComputer = rdpConnections | distinct SecondComputer;\\nlet resolvedIPs =\\nDeviceNetworkInfo\\n| where TimeGenerated >= ago(endtime)\\n| where isnotempty(ConnectedNetworks) and NetworkAdapterStatus == \\\"Up\\\"\\n| extend ClientIP = tostring(parse_json(IPAddresses[0]).IPAddress)\\n| where isnotempty(ClientIP)\\n| where DeviceName in~ (listOfFirstComputer) or DeviceName in~ (listOfSecondComputer)\\n| summarize arg_max(TimeGenerated, ClientIP) by Computer= DeviceName\\n| project Computer=toupper(Computer), ResolvedIP = ClientIP;\\n// Join resolved IPs with the RDP connections\\nrdpConnections\\n| join kind=inner (resolvedIPs) on $left.FirstComputer == $right.Computer\\n| join kind=inner (resolvedIPs) on $left.SecondComputer == $right.Computer\\n// | where ResolvedIP != ResolvedIP1\\n| distinct\\nAccount,\\nFirstHop,\\nFirstComputer,\\nFirstComputerIP = ResolvedIP,\\nFirstRemoteIPAddress,\\nSecondHop,\\nSecondComputer,\\nSecondComputerIP = ResolvedIP1,\\nSecondRemoteIPAddress,\\nAccountType,\\nActivity,\\nLogonTypeName,\\nProcessName\\n// Ensure the first connection is before the second connection\\n// Identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match\\n// Ensure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers\\n| where FirstComputer != SecondComputer\\nand FirstRemoteIPAddress != SecondRemoteIPAddress\\nand SecondHop > FirstHop\\n// Ensure the second hop occurs within 30 minutes of the first hop\\n| where SecondHop <= FirstHop + 30m\\n| where SecondRemoteIPAddress == FirstComputerIP\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop)\\nby\\nAccount,\\nFirstComputer,\\nFirstComputerIP,\\nFirstRemoteIPAddress,\\nSecondHop,\\nSecondComputer,\\nSecondComputerIP,\\nSecondRemoteIPAddress,\\nAccountType,\\nActivity,\\nLogonTypeName,\\nProcessName\\n| extend\\nAccountName = tostring(split(Account, @\\\"\\\")[1]),\\nAccountNTDomain = tostring(split(Account, @\\\"\\\")[0])\\n| extend\\nHostName1 = tostring(split(FirstComputer, \\\".\\\")[0]),\\nDomainIndex = toint(indexof(FirstComputer, '.'))\\n| extend HostNameDomain1 = iff(DomainIndex != -1, substring(FirstComputer, DomainIndex + 1), FirstComputer)\\n| extend\\nHostName2 = tostring(split(SecondComputer, \\\".\\\")[0]),\\nDomainIndex = toint(indexof(SecondComputer, '.'))\\n| extend HostNameDomain2 = iff(DomainIndex != -1, substring(SecondComputer, DomainIndex + 1), SecondComputer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"FirstComputer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName1\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain1\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SecondComputer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName2\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain2\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FirstIPAddress\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Query detects potential lateral movement within a network by identifying when an RDP connection (EventID 4624, LogonType 10) is made to an initial system, followed by a subsequent RDP connection from that system to another, using the same account within a 60-minute window.\\n To reduce false positives, it excludes scenarios where the same account has made 5 or more connections to the same set of computers in the previous 7 days. This approach focuses on highlighting unusual RDP behaviour that suggests lateral movement, which is often associated with attacker tactics during a network breach.\",\"lastUpdatedDateUTC\":\"2024-09-27T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n IdentityInfo\\n | where TimeGenerated > ago(queryperiod)\\n | mv-expand AssignedRoles\\n | where AssignedRoles contains 'Admin'\\n | summarize by AccountUPN);\\nAuditLogs\\n| where TimeGenerated > ago(queryfrequency)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"User\\\"\\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName)\\n )\\n| where TargetUserPrincipalName in~ (VIPUsers)\\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\\n// Comment out this line below, if line above is used.\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by InitiatingAppName, InitiatingAppServicePrincipalId, \\nInitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIpAddress, TargetUserPrincipalName, Result\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1]), \\nTargetName = iff(tostring(TargetUserPrincipalName) has \\\"[\\\", \\\"\\\", tostring(split(TargetUserPrincipalName,'@',0)[0])), TargetUPNSuffix = iff(tostring(TargetUserPrincipalName) has \\\"[\\\", \\\"\\\", tostring(split(TargetUserPrincipalName,'@',1)[0]))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ >= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2023-10-09T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b185ac23-dc27-4573-8192-1134c7a95f4f\",\"name\":\"b185ac23-dc27-4573-8192-1134c7a95f4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"Dynamics365Activity\\n| extend Message = tostring(split(OriginalObjectId, ' ')[0])\\n| where Message =~ 'IsDataEncryptionActive'\\n| project-reorder TimeGenerated, Message, UserId, ClientIP, InstanceUrl, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Dynamics Encryption Settings Changed\",\"description\":\"This query looks for changes to the Data Encryption settings for Dynamics 365.\\nReference: https://docs.microsoft.com/microsoft-365/compliance/office-365-encryption-in-microsoft-dynamics-365\",\"lastUpdatedDateUTC\":\"2022-12-12T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Dynamics365\",\"dataTypes\":[\"Dynamics365Activity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\\n| extend AccountName = case( UserIdentityPrincipalid == \\\"Anonymous\\\", \\\"Anonymous\\\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\\n| extend AccountName = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 0)[0]), AccountName),\\n AccountUPNSuffix = iif(AccountName contains \\\"@\\\", tostring(split(AccountName, '@', 1)[0]), \\\"\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"},{\"identifier\":\"CloudAppAccountId\",\"columnName\":\"RecipientAccountId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have not added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a configurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nlet threshold = 5;\\nlet o365_attack_regex = \\\"contacts.read|user.read|mail.read|notes.read.all|mailboxsettings.readwrite|Files.ReadWrite.All|mail.send|files.read|files.read.all\\\";\\nlet o365_attack = dynamic([\\\"contacts.read\\\", \\\"user.read\\\", \\\"mail.read\\\", \\\"notes.read.all\\\", \\\"mailboxsettings.readwrite\\\", \\\"Files.ReadWrite.All\\\", \\\"mail.send\\\", \\\"files.read\\\", \\\"files.read.all\\\"]);\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend AppDisplayName = tostring(TargetResource.displayName),\\n AppClientId = tostring(TargetResource.id),\\n props = TargetResource.modifiedProperties\\n )\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\"))) // NOTE: a MATCH from this list will cause the alert to NOT fire - please modify for your environment!\\n| mv-apply ConsentFull = props on \\n (\\n where ConsentFull.displayName =~ \\\"ConsentAction.Permissions\\\"\\n )\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\", CreatedDateTime\\\" * \\\"]\\\" *\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| where ConsentFull has_any (o365_attack) \\n| extend GrantScopeCount = countof(tolower(GrantScope1), o365_attack_regex, 'regex')\\n| where GrantScopeCount > threshold\\n| extend GrantInitiatedByAppName = tostring(InitiatedBy.app.displayName)\\n| extend GrantInitiatedByAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend GrantInitiatedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend GrantInitiatedByAadUserId = tostring(InitiatedBy.user.id)\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(GrantInitiatedByUserPrincipalName), GrantInitiatedByUserPrincipalName, GrantInitiatedByAppName)\\n| mv-apply AdditionalDetail = AdditionalDetails on \\n (\\n where AdditionalDetail.key =~ \\\"User-Agent\\\"\\n | extend GrantUserAgent = AdditionalDetail.value\\n )\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n | where TimeGenerated > ago(joinLookback)\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add service principal\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\"\\n | extend props = TargetResource.modifiedProperties,\\n AppClientId = tostring(TargetResource.id)\\n )\\n | mv-apply Property = props on \\n (\\n where Property.displayName =~ \\\"AppAddress\\\" and Property.newValue has \\\"AddressType\\\"\\n | extend AppReplyURLs = trim('\\\"',tostring(Property.newValue))\\n )\\n | distinct AppClientId, tostring(AppReplyURLs)\\n) on AppClientId\\n| join kind = innerunique (AuditLogs\\n | where TimeGenerated > ago(joinLookback)\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n | mv-apply TargetResource = TargetResources on \\n (\\n where TargetResource.type =~ \\\"ServicePrincipal\\\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\\n | extend GrantAuthentication = tostring(TargetResource.displayName)\\n )\\n | extend GrantOperation = OperationName\\n | project GrantAuthentication, GrantOperation, CorrelationId\\n ) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantInitiatedByUserPrincipalName, GrantInitiatedByAadUserId, GrantInitiatedByAppName, GrantInitiatedByAppServicePrincipalId, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend Name = tostring(split(GrantInitiatedByUserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(GrantInitiatedByUserPrincipalName,'@',1)[0])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"GrantInitiatedByUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"GrantInitiatedByAppServicePrincipalId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"GrantIpAddress\"}]},{\"entityType\":\"CloudApplication\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AppDisplayName\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2024-01-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"Medium\",\"query\":\"REDACTED\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Microsoft Entra ID\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Microsoft Entra ID signins.\\nBecause the IP was blocked by the firewall, that same IP logging on successfully to Entra ID is potentially suspect and could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names or apps to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nlet nonapproved_apps = dynamic([]);\\nAuditLogs\\n| where OperationName =~ \\\"Add user\\\" or OperationName =~ \\\"Delete user\\\"\\n| where Result =~ \\\"success\\\"\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| where InitiatingUserPrincipalName has_any (nonapproved_users) or InitiatingAppName has_any (nonapproved_apps)\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog\\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount < c_threshold\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(csUserName, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(csUserName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"csUserName\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"cIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2023-12-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process =~ 'rundll32.exe' \\n| where CommandLine has_all ('Execute','RegRead','window.close')\\n| project TimeGenerated, Computer, SubjectAccount = Account, SubjectUserName, SubjectDomainName, SubjectUserSid, Process, ProcessId, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n),\\n(WindowsEvent\\n| where EventID == 4688 and EventData has 'rundll32.exe' and EventData has_any ('Execute','RegRead','window.close')\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| where Process =~ 'rundll32.exe' \\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_all ('Execute','RegRead','window.close')\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, SubjectAccount, SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectUserSid = tostring(EventData.SubjectUserSid), Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n)\\n)\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| project-away DomainIndex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Sid\",\"columnName\":\"SubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"DnsDomain\",\"columnName\":\"HostNameDomain\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Midnight Blizzard - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2024-01-22T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.6\",\"severity\":\"Low\",\"query\":\"let querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet LocalNetworks=dynamic([\\\"169.254.0.0/16\\\",\\\"127.0.0.0/8\\\"]);\\n_Im_NetworkSession(starttime=ago(querystarttime), endtime=ago(queryendtime))\\n| where not(ipv4_is_private(DstIpAddr))\\n| where not (ipv4_is_in_any_range(DstIpAddr, LocalNetworks))\\n| project \\n TimeGenerated\\n , SrcIpAddr\\n , SrcPortNumber\\n , DstIpAddr\\n , DstPortNumber\\n , DstBytes\\n , SrcBytes\\n| sort by \\n SrcIpAddr asc\\n , TimeGenerated asc\\n , DstIpAddr asc\\n , DstPortNumber asc\\n| serialize\\n| extend \\n nextTimeGenerated = next(TimeGenerated, 1)\\n , nextSrcIpAddr = next(SrcIpAddr, 1)\\n| extend \\n TimeDeltainSeconds = datetime_diff('second', nextTimeGenerated, TimeGenerated)\\n| where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds > TimeDeltaThreshold \\n| project\\n TimeGenerated\\n , TimeDeltainSeconds\\n , SrcIpAddr\\n , SrcPortNumber\\n , DstIpAddr\\n , DstPortNumber\\n , DstBytes\\n , SrcBytes\\n| summarize\\n count()\\n , sum(DstBytes)\\n , sum(SrcBytes)\\n , make_list(TimeDeltainSeconds) \\n by TimeDeltainSeconds\\n , bin(TimeGenerated, 1h)\\n , SrcIpAddr\\n , DstIpAddr\\n , DstPortNumber\\n| summarize\\n (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds)\\n , TotalEvents=sum(count_)\\n , TotalSrcBytes = sum(sum_SrcBytes)\\n , TotalDstBytes = sum(sum_DstBytes)\\n by bin(TimeGenerated, 1h)\\n , SrcIpAddr\\n , DstIpAddr\\n , DstPortNumber\\n| where TotalEvents > TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent > PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}}\",\"alertDescriptionFormat\":\"Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential beaconing activity (ASIM Network Session schema)\",\"description\":\"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. \\nSuch potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](https://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"AzureNSG\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoAsaAma\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"AIVectraStream\",\"dataTypes\":[\"VectraStream\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoMeraki\",\"dataTypes\":[\"Syslog\",\"CiscoMerakiNativePoller\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fed0668-6d43-4c78-87e6-510f96f12145\",\"name\":\"2fed0668-6d43-4c78-87e6-510f96f12145\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"//Finding MDO Security alerts and extracting the Entities user, Domain, Ip, and URL.\\nlet Alert_List= dynamic([\\n\\\"Phishing link click observed in Network Traffic\\\",\\n\\\"Phish delivered due to an IP allow policy\\\",\\n\\\"A potentially malicious URL click was detected\\\",\\n\\\"High Risk Sign-in Observed in Network Traffic\\\",\\n\\\"A user clicked through to a potentially malicious URL\\\",\\n\\\"Suspicious network connection to AitM phishing site\\\",\\n\\\"Messages containing malicious entity not removed after delivery\\\",\\n\\\"Email messages containing malicious URL removed after delivery\\\",\\n\\\"Email reported by user as malware or phish\\\",\\n\\\"Phish delivered due to an ETR override\\\",\\n\\\"Phish not zapped because ZAP is disabled\\\"]);\\nSecurityAlert\\n|where ProviderName in~ (\\\"Office 365 Advanced Threat Protection\\\", \\\"OATP\\\")\\n| where AlertName in~ (Alert_List)\\n//extracting Alert Entities\\n | extend Entities = parse_json(Entities)\\n| mv-apply Entity = Entities on\\n(\\nwhere Entity.Type == 'account'\\n| extend EntityUPN = iff(isempty(Entity.UserPrincipalName), tostring(strcat(Entity.Name, \\\"@\\\", tostring (Entity.UPNSuffix))), tostring(Entity.UserPrincipalName))\\n)\\n| mv-apply Entity = Entities on\\n(\\nwhere Entity.Type == 'url'\\n| extend EntityUrl = tostring(Entity.Url)\\n)\\n| summarize AccountUpn=tolower(tostring(take_any(EntityUPN))),Url=tostring(tolower(take_any(EntityUrl))),AlertTime= min(TimeGenerated)by SystemAlertId, ProductName\\n// filtering 3pnetwork devices\\n| join kind= inner (CommonSecurityLog\\n| where DeviceVendor has_any (\\\"Palo Alto Networks\\\", \\\"Fortinet\\\", \\\"Check Point\\\", \\\"Zscaler\\\")\\n| where DeviceAction != \\\"Block\\\"\\n| where DeviceProduct startswith \\\"FortiGate\\\" or DeviceProduct startswith \\\"PAN\\\" or DeviceProduct startswith \\\"VPN\\\" or DeviceProduct startswith \\\"FireWall\\\" or DeviceProduct startswith \\\"NSSWeblog\\\" or DeviceProduct startswith \\\"URL\\\"\\n| where isnotempty(RequestURL)\\n| where isnotempty(SourceUserName)\\n| extend SourceUserName = tolower(SourceUserName)\\n| project\\n3plogTime=TimeGenerated,\\nDeviceVendor,\\nDeviceProduct,\\nActivity,\\nDestinationHostName,\\nDestinationIP,\\nRequestURL=tostring(tolower(RequestURL)),\\nMaliciousIP,\\nName = tostring(split(SourceUserName,\\\"@\\\")[0]),\\nUPNSuffix =tostring(split(SourceUserName,\\\"@\\\")[1]),\\nSourceUserName,\\nIndicatorThreatType,\\nThreatSeverity,AdditionalExtensions,\\nThreatConfidence)on $left.Url == $right.RequestURL and $left.AccountUpn == $right.SourceUserName\\n// Applied the condition where alert trigger 1st and then the 3p Network activity execution\\n| where AlertTime between ((3plogTime - 1h) .. (3plogTime + 1h))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUserName\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DestinationHostName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Phishing link click observed in Network Traffic\",\"description\":\"The purpose of this content is to identify successful phishing links accessed by users. Once a user clicks on a phishing link, we observe successful network activity originating from non-Microsoft network devices. These devices may include Palo Alto Networks, Fortinet, Check Point, and Zscaler devices.\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2023-05-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == 'DS'\\n| where AccountType != 'Machine'\\n| where Properties has '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes\\n or Properties has '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes-All\\n or Properties has '89e95b76-444d-4c62-991a-0facbeda640c' //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != 'Machine'\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend AccountName = tostring(split(Account, \\\"\\\\\\\\\\\")[0]), AccountNTDomain = tostring(split(Account, \\\"\\\\\\\\\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"AccountNTDomain\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare.\",\"lastUpdatedDateUTC\":\"2024-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/276d5190-38de-4eb2-9933-b3b72f4a5737\",\"name\":\"276d5190-38de-4eb2-9933-b3b72f4a5737\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P2D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// In User & Groups and in Applications, the following \\\"AccessType\\\" values in columns PremodifiedInboundSettings and ModifiedInboundSettings are interpreted accordingly\\n// When Access Type in premodified inbound settings value was 1 that means that the initial access was allowed. When Access Type in premodified inbound settings value was 2 that means that the initial access was blocked.\\n// When Access Type in modified inbound settings value is 1 that means that now access is allowed. When Access Type in modified inbound settings value is 2 that means that now access is blocked.\\nAuditLogs\\n| where OperationName has \\\"Update a partner cross-tenant access setting\\\"\\n| mv-apply TargetResource = TargetResources on\\n (\\n where TargetResource.type =~ \\\"Policy\\\"\\n | extend Properties = TargetResource.modifiedProperties\\n )\\n| mv-apply Property = Properties on\\n (\\n where Property.displayName =~ \\\"b2bDirectConnectInbound\\\"\\n | extend PremodifiedInboundSettings = trim('\\\"',tostring(Property.oldValue)),\\n ModifiedInboundSettings = trim(@'\\\"',tostring(Property.newValue))\\n )\\n| where PremodifiedInboundSettings != ModifiedInboundSettings\\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"InitiatingAppName\"},{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAppServicePrincipalId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"Cross-tenant Access Settings Organization Inbound Direct Settings Changed\",\"description\":\"Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when Organization Inbound Direct Settings are changed for \\\"Users & Groups\\\" and for \\\"Applications\\\".\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2022-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.3\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue =~ 'Administrative'\\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\\n| where _ResourceId has 'AdFederationService'\\n| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/delete'\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Microsoft Entra ID Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Microsoft Entra ID Hybrid Health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is no longer needed via HTTP requests to Azure.\\nMore information is available in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2024-03-04T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"name\":\"feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated > ago(2h)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| where tolower(TargetUserPrincipalName) in (VIPUsers)\\n| extend TargetAadUserId = tostring(TargetResources[0].id)\\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\\n| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend TargetAccountName = tostring(split(TargetUserPrincipalName, \\\"@\\\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \\\"@\\\")[1])\\n| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"TargetAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"TargetAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"TargetAadUserId\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserPrincipalName\"},{\"identifier\":\"Name\",\"columnName\":\"InitiatingAccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"InitiatingAccountUPNSuffix\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"InitiatingAadUserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIPAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Method Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2024-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"IdentityInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.5\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n),\\n(WindowsEvent\\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| where TimeGenerated > ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\\n| extend HostName = tostring(split(Computer, \\\".\\\")[0]), DomainIndex = toint(indexof(Computer, '.'))\\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| project-away DomainIndex\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"},{\"identifier\":\"Name\",\"columnName\":\"SubjectUserName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"SubjectDomainName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"},{\"identifier\":\"HostName\",\"columnName\":\"HostName\"},{\"identifier\":\"NTDomain\",\"columnName\":\"HostNameDomain\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Silk Typhoon New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.3\",\"severity\":\"Medium\",\"query\":\"let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); // Update this list as per your requirement\\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes')\\n | extend Extension=column_ifexists(\\\"Extension\\\", \\\"\\\")\\n | where isnotempty(Extension)\\n | summarize make_set(Extension)); // If you have an extensive list, you can also create a Watchlist that includes the file extensions you want to detect\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\\n_Im_WebSession(starttime=ago(10min), url_has_any=file_ext_blocklist, eventresult='Success')\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]), '/')[-1])\\n| extend requestedFileExtension=extract(@'(\\\\.\\\\w+)$', 1, requestedFileName, typeof(string))\\n| where requestedFileExtension in (file_ext_blocklist)\\n| summarize\\n EventStartTime=min(TimeGenerated),\\n EventEndTime=max(TimeGenerated),\\n EventCount=count()\\n by SrcIpAddr, SrcUsername, SrcHostname, requestedFileName, Url\\n| extend\\n Name = iif(SrcUsername contains \\\"@\\\", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),\\n UPNSuffix = iif(SrcUsername contains \\\"@\\\", tostring(split(SrcUsername, '@', 1)[0]), \\\"\\\")\",\"customDetails\":{\"requestedFileExt\":\"requestedFileExtension\",\"Username\":\"SrcUsername\",\"SrcHostname\":\"SrcHostname\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"requestedFileName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUsername\"},{\"identifier\":\"Name\",\"columnName\":\"Name\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"UPNSuffix\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExtension}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExtension}}. Downloading a file with this extension may be harmful and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"A client made a web request to a potentially harmful file (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2023-12-15T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/74ed028d-e392-40b7-baef-e69627bf89d1\",\"name\":\"74ed028d-e392-40b7-baef-e69627bf89d1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated\\n| extend AccountName = tostring(split(ActorUPN, \\\"@\\\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \\\"@\\\")[1])\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUPN\"},{\"identifier\":\"Name\",\"columnName\":\"AccountName\"},{\"identifier\":\"UPNSuffix\",\"columnName\":\"AccountUPNSuffix\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2024-06-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/419581d6-4853-49bd-83b6-d94bb8a77887/resourceGroups/aspstest4pr7te/providers/Microsoft.OperationalInsights/workspaces/asptest4yt0n3/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == 'DS'\\n| where OperationType == 'Object Access'\\n//| where ObjectName contains '