diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/ActionsTests.ps1 b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/ActionsTests.ps1
index 4b34ec69e4f1..22d3a04b93d1 100644
--- a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/ActionsTests.ps1
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/ActionsTests.ps1
@@ -22,9 +22,9 @@ function Get-AzSentinelAlertRuleAction-ListByAlertRule
$ActionId = "cd9f21e2-1718-4b8b-871e-b8d59c65f317"
$ActionId2 = "ccef9243-4f96-4ec5-8042-9df44e2df452"
$LogicAppResourceId = "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser"
- $TriggerUri = "https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E"
+ $TriggerUri = "https://prod-08.eastus.logic.azure.com:443/workflows/854f1fc04f50415f83a359463dd60e8b/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=D7IHsTelJf8XFdhefU6mFRYjnHaa0oHkY_xWC_wW_Vs"
$LogicAppResourceId2 = "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage"
- $TriggerUri2 = "https://prod-16.westus.logic.azure.com:443/workflows/18c75599cf3742c998d14af0f89cf3b1/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=rREdJWoN3PNCmhqwMz0KRy8apQDt8DQbZZuvlm1l4Oo"
+ $TriggerUri2 = "https://prod-11.eastus.logic.azure.com:443/workflows/9f824303d57e4f00bea47052e4318d1b/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=2cGZz7eu3Y437r3LRHpkSFUTmD0X15XXP7uiW5_aLaA"
#Create Alert Rule
$alertRule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -Scheduled -Enabled -DisplayName "PoshModuleTest" -Severity Low -Query "SecurityAlert | take 1" -QueryFrequency (New-TimeSpan -Hours 5) -QueryPeriod (New-TimeSpan -Hours 5) -TriggerThreshold 10
@@ -51,7 +51,7 @@ function Get-AzSentinelAlertRuleAction-GetAction
$AlertRuleId = "77def5f7-ab37-4aaf-8711-904d1ab55787"
$ActionId = "27dda575-93f0-4925-92b3-039ef4d89cad"
$LogicAppResourceId = "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser"
- $TriggerUri = "https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E"
+ $TriggerUri = "https://prod-08.eastus.logic.azure.com:443/workflows/854f1fc04f50415f83a359463dd60e8b/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=D7IHsTelJf8XFdhefU6mFRYjnHaa0oHkY_xWC_wW_Vs"
#Create Alert Rule
$alertRule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -Scheduled -Enabled -DisplayName "PoshModuleTest" -Severity Low -Query "SecurityAlert | take 1" -QueryFrequency (New-TimeSpan -Hours 5) -QueryPeriod (New-TimeSpan -Hours 5) -TriggerThreshold 10
@@ -76,7 +76,7 @@ function New-AzSentinelAlertRuleAction-Create
$AlertRuleId = "26501c9d-8f07-419d-8bcb-f9aac8ec1a7f"
$ActionId = "10d54e5f-8c03-42fc-b1d9-1bd881535af0"
$LogicAppResourceId = "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser"
- $TriggerUri = "https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E"
+ $TriggerUri = "https://prod-08.eastus.logic.azure.com:443/workflows/854f1fc04f50415f83a359463dd60e8b/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=D7IHsTelJf8XFdhefU6mFRYjnHaa0oHkY_xWC_wW_Vs"
#Create Alert Rule
$alertRule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -Scheduled -Enabled -DisplayName "PoshModuleTest" -Severity Low -Query "SecurityAlert | take 1" -QueryFrequency (New-TimeSpan -Hours 5) -QueryPeriod (New-TimeSpan -Hours 5) -TriggerThreshold 10
@@ -99,9 +99,9 @@ function Update-AzSentinelAlertRuleAction-Update
$AlertRuleId = "1584e7a3-802c-435b-9178-5720a44be2f3"
$ActionId = "91c2ea2f-f40c-4bef-ab3b-43c09e4a9699"
$LogicAppResourceId = "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser"
- $TriggerUri = "https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E"
+ $TriggerUri = "https://prod-08.eastus.logic.azure.com:443/workflows/854f1fc04f50415f83a359463dd60e8b/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=D7IHsTelJf8XFdhefU6mFRYjnHaa0oHkY_xWC_wW_Vs"
$LogicAppResourceId2 = "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage"
- $TriggerUri2 = "https://prod-16.westus.logic.azure.com:443/workflows/18c75599cf3742c998d14af0f89cf3b1/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=rREdJWoN3PNCmhqwMz0KRy8apQDt8DQbZZuvlm1l4Oo"
+ $TriggerUri2 = "https://prod-11.eastus.logic.azure.com:443/workflows/9f824303d57e4f00bea47052e4318d1b/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=2cGZz7eu3Y437r3LRHpkSFUTmD0X15XXP7uiW5_aLaA"
#Create Alert Rule
$alertRule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -Scheduled -Enabled -DisplayName "PoshModuleTest" -Severity Low -Query "SecurityAlert | take 1" -QueryFrequency (New-TimeSpan -Hours 5) -QueryPeriod (New-TimeSpan -Hours 5) -TriggerThreshold 10
diff --git a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/AlertRulesTests.ps1 b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/AlertRulesTests.ps1
index 7b7ff23ff03c..2493980a99de 100644
--- a/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/AlertRulesTests.ps1
+++ b/src/SecurityInsights/SecurityInsights.Test/ScenarioTests/AlertRulesTests.ps1
@@ -61,7 +61,8 @@ function New-AzSentinelAlertRule-CreateFusion
{
$AlertRuleTemplateName = "f71aba3d-28fb-450b-b192-4e76a83015c8"
$AlertRuleId = "db5ded90-76a4-4c59-8581-1c8b7601b375"
-
+ #remove builtin rule
+ Remove-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId "BuiltInFusion"
#Create Alert Rule
$alertrule = New-AzSentinelAlertRule -ResourceGroupName (Get-TestResourceGroupName) -WorkspaceName (Get-TestWorkspaceName) -AlertRuleId $AlertRuleId -Fusion -Enabled -AlertRuleTemplateName $AlertRuleTemplateName
diff --git a/src/SecurityInsights/SecurityInsights.Test/SecurityInsights.Test.csproj b/src/SecurityInsights/SecurityInsights.Test/SecurityInsights.Test.csproj
index 9151c1b76982..f4b8d0bc771d 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SecurityInsights.Test.csproj
+++ b/src/SecurityInsights/SecurityInsights.Test/SecurityInsights.Test.csproj
@@ -17,7 +17,7 @@
-
+
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/CreateAction.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/CreateAction.json
index be4cf77b5e8a..6594d0d8dea6 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/CreateAction.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/CreateAction.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "5d22062e-dc45-4442-856b-4d37f14601ef"
+ "c5267c91-f423-4549-bc62-4d42de57b63f"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "6d82d299-d67e-4288-aa8b-2f653302960e"
+ "4cb36aea-dab0-4f06-861c-01997ca17aed"
],
"x-ms-correlation-request-id": [
- "6d82d299-d67e-4288-aa8b-2f653302960e"
+ "4cb36aea-dab0-4f06-861c-01997ca17aed"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211011Z:6d82d299-d67e-4288-aa8b-2f653302960e"
+ "WESTUS2:20210413T222656Z:4cb36aea-dab0-4f06-861c-01997ca17aed"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:10:11 GMT"
+ "Tue, 13 Apr 2021 22:26:55 GMT"
],
"Content-Length": [
"972"
@@ -69,26 +66,26 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/26501c9d-8f07-419d-8bcb-f9aac8ec1a7f\",\r\n \"name\": \"26501c9d-8f07-419d-8bcb-f9aac8ec1a7f\",\r\n \"etag\": \"\\\"c200c4a2-0000-0100-0000-5fd28eb30000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:10:10.5112338Z\"\r\n }\r\n}",
- "StatusCode": 201
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/26501c9d-8f07-419d-8bcb-f9aac8ec1a7f\",\r\n \"name\": \"26501c9d-8f07-419d-8bcb-f9aac8ec1a7f\",\r\n \"etag\": \"\\\"7f03b722-0000-0100-0000-60761ab00000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:26:55.9731141Z\"\r\n }\r\n}",
+ "StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/26501c9d-8f07-419d-8bcb-f9aac8ec1a7f/actions/10d54e5f-8c03-42fc-b1d9-1bd881535af0?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzI2NTAxYzlkLThmMDctNDE5ZC04YmNiLWY5YWFjOGVjMWE3Zi9hY3Rpb25zLzEwZDU0ZTVmLThjMDMtNDJmYy1iMWQ5LTFiZDg4MTUzNWFmMD9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"triggerUri\": \"https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E\"\r\n }\r\n}",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"triggerUri\": \"https://prod-08.eastus.logic.azure.com:443/workflows/854f1fc04f50415f83a359463dd60e8b/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=D7IHsTelJf8XFdhefU6mFRYjnHaa0oHkY_xWC_wW_Vs\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "fb6c1119-f1d5-4447-b2b0-cb9aa968b023"
+ "dc625baa-5222-4c72-85ce-e2774a430b7c"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -104,20 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "07dae192-8252-4eb4-988e-176d1fb0b51b"
+ "8092e4fa-99f6-440f-afc7-da5a3a4e8aae"
],
"x-ms-correlation-request-id": [
- "07dae192-8252-4eb4-988e-176d1fb0b51b"
+ "8092e4fa-99f6-440f-afc7-da5a3a4e8aae"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211012Z:07dae192-8252-4eb4-988e-176d1fb0b51b"
+ "WESTUS2:20210413T222656Z:8092e4fa-99f6-440f-afc7-da5a3a4e8aae"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -126,10 +123,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:10:12 GMT"
+ "Tue, 13 Apr 2021 22:26:56 GMT"
],
"Content-Length": [
- "621"
+ "600"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -138,7 +135,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/26501c9d-8f07-419d-8bcb-f9aac8ec1a7f/actions/10d54e5f-8c03-42fc-b1d9-1bd881535af0\",\r\n \"name\": \"10d54e5f-8c03-42fc-b1d9-1bd881535af0\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"826a95b1b84c4ffbaf3af3dd88fe96b5\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/26501c9d-8f07-419d-8bcb-f9aac8ec1a7f/actions/10d54e5f-8c03-42fc-b1d9-1bd881535af0\",\r\n \"name\": \"10d54e5f-8c03-42fc-b1d9-1bd881535af0\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"854f1fc04f50415f83a359463dd60e8b\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\"\r\n }\r\n}",
"StatusCode": 201
},
{
@@ -148,16 +145,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "6a016b7e-ba54-43e3-8978-bc34efb4ba0d"
+ "0ff2d7df-385a-43f4-a05b-07515301fee0"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -167,23 +164,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "89b5e083-10e0-46b6-b849-824e16f0033b"
+ "7c0ad213-ddbc-464d-8432-87c6b96c8a16"
],
"x-ms-correlation-request-id": [
- "89b5e083-10e0-46b6-b849-824e16f0033b"
+ "7c0ad213-ddbc-464d-8432-87c6b96c8a16"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211012Z:89b5e083-10e0-46b6-b849-824e16f0033b"
+ "WESTUS2:20210413T222657Z:7c0ad213-ddbc-464d-8432-87c6b96c8a16"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -192,7 +186,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:10:12 GMT"
+ "Tue, 13 Apr 2021 22:26:56 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/GetAction.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/GetAction.json
index 2e095ed17400..84d3a46a9acc 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/GetAction.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/GetAction.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "4e0aa13c-3e4e-46c9-803a-d437616d03b9"
+ "65bee3f7-1827-4ac8-9ad6-bdc9e99a950b"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "eb1ead1b-9405-4830-bc8f-33ee4bc54a50"
+ "456b2d3c-1b8f-4faf-937b-0f36345aa3b1"
],
"x-ms-correlation-request-id": [
- "eb1ead1b-9405-4830-bc8f-33ee4bc54a50"
+ "456b2d3c-1b8f-4faf-937b-0f36345aa3b1"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211044Z:eb1ead1b-9405-4830-bc8f-33ee4bc54a50"
+ "WESTUS2:20210413T222702Z:456b2d3c-1b8f-4faf-937b-0f36345aa3b1"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:10:44 GMT"
+ "Tue, 13 Apr 2021 22:27:02 GMT"
],
"Content-Length": [
"972"
@@ -69,26 +66,26 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/77def5f7-ab37-4aaf-8711-904d1ab55787\",\r\n \"name\": \"77def5f7-ab37-4aaf-8711-904d1ab55787\",\r\n \"etag\": \"\\\"c20078a6-0000-0100-0000-5fd28ed40000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:10:42.4515714Z\"\r\n }\r\n}",
- "StatusCode": 201
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/77def5f7-ab37-4aaf-8711-904d1ab55787\",\r\n \"name\": \"77def5f7-ab37-4aaf-8711-904d1ab55787\",\r\n \"etag\": \"\\\"7f031523-0000-0100-0000-60761ab60000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:02.2742566Z\"\r\n }\r\n}",
+ "StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/77def5f7-ab37-4aaf-8711-904d1ab55787/actions/27dda575-93f0-4925-92b3-039ef4d89cad?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzc3ZGVmNWY3LWFiMzctNGFhZi04NzExLTkwNGQxYWI1NTc4Ny9hY3Rpb25zLzI3ZGRhNTc1LTkzZjAtNDkyNS05MmIzLTAzOWVmNGQ4OWNhZD9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"triggerUri\": \"https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E\"\r\n }\r\n}",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"triggerUri\": \"https://prod-08.eastus.logic.azure.com:443/workflows/854f1fc04f50415f83a359463dd60e8b/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=D7IHsTelJf8XFdhefU6mFRYjnHaa0oHkY_xWC_wW_Vs\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "a9b0a11e-998e-4ef8-9186-21e2f4c61501"
+ "c3271c2e-9728-4911-b2e5-065cde988224"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -104,20 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "ae717d23-97fe-4aaf-98aa-50932434edd7"
+ "d1fd7442-9db9-4d44-b62f-d8c29b000b76"
],
"x-ms-correlation-request-id": [
- "ae717d23-97fe-4aaf-98aa-50932434edd7"
+ "d1fd7442-9db9-4d44-b62f-d8c29b000b76"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211045Z:ae717d23-97fe-4aaf-98aa-50932434edd7"
+ "WESTUS2:20210413T222703Z:d1fd7442-9db9-4d44-b62f-d8c29b000b76"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -126,10 +123,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:10:45 GMT"
+ "Tue, 13 Apr 2021 22:27:02 GMT"
],
"Content-Length": [
- "621"
+ "600"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -138,7 +135,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/77def5f7-ab37-4aaf-8711-904d1ab55787/actions/27dda575-93f0-4925-92b3-039ef4d89cad\",\r\n \"name\": \"27dda575-93f0-4925-92b3-039ef4d89cad\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"826a95b1b84c4ffbaf3af3dd88fe96b5\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/77def5f7-ab37-4aaf-8711-904d1ab55787/actions/27dda575-93f0-4925-92b3-039ef4d89cad\",\r\n \"name\": \"27dda575-93f0-4925-92b3-039ef4d89cad\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"854f1fc04f50415f83a359463dd60e8b\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\"\r\n }\r\n}",
"StatusCode": 201
},
{
@@ -148,16 +145,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "d2b83957-497e-479f-aba3-1eb74b3ed2c0"
+ "3a510042-b55c-4750-8854-41409555f72d"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -167,20 +164,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
"x-ms-request-id": [
- "a7e67e98-17e3-4cf4-a39c-e6b440edc225"
+ "bbe24503-ec57-43e9-b807-dc713c890c26"
],
"x-ms-correlation-request-id": [
- "a7e67e98-17e3-4cf4-a39c-e6b440edc225"
+ "bbe24503-ec57-43e9-b807-dc713c890c26"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211045Z:a7e67e98-17e3-4cf4-a39c-e6b440edc225"
+ "WESTUS2:20210413T222704Z:bbe24503-ec57-43e9-b807-dc713c890c26"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -189,10 +186,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:10:45 GMT"
+ "Tue, 13 Apr 2021 22:27:03 GMT"
],
"Content-Length": [
- "671"
+ "650"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -201,7 +198,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/77def5f7-ab37-4aaf-8711-904d1ab55787/actions/27dda575-93f0-4925-92b3-039ef4d89cad\",\r\n \"name\": \"27dda575-93f0-4925-92b3-039ef4d89cad\",\r\n \"etag\": \"\\\"2c05ff74-0000-0300-0000-5fd28ed50000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"826a95b1b84c4ffbaf3af3dd88fe96b5\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/77def5f7-ab37-4aaf-8711-904d1ab55787/actions/27dda575-93f0-4925-92b3-039ef4d89cad\",\r\n \"name\": \"27dda575-93f0-4925-92b3-039ef4d89cad\",\r\n \"etag\": \"\\\"e905db64-0000-0300-0000-60761ab70000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"854f1fc04f50415f83a359463dd60e8b\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -211,16 +208,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "f64dbed2-9b95-4a67-b760-f57376e15dbd"
+ "30abbd5f-bc58-4543-a3a4-8a4305955580"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -230,23 +227,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "5201200d-fd94-48e9-8dd1-a6d7da4b8de6"
+ "48236cfa-6777-45e3-b07e-17502853955c"
],
"x-ms-correlation-request-id": [
- "5201200d-fd94-48e9-8dd1-a6d7da4b8de6"
+ "48236cfa-6777-45e3-b07e-17502853955c"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211045Z:5201200d-fd94-48e9-8dd1-a6d7da4b8de6"
+ "WESTUS2:20210413T222704Z:48236cfa-6777-45e3-b07e-17502853955c"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -255,7 +249,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:10:45 GMT"
+ "Tue, 13 Apr 2021 22:27:03 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/ListByAlertRule.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/ListByAlertRule.json
index b3906cedf8d9..e99bf17ea85c 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/ListByAlertRule.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/ListByAlertRule.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "bef58047-059d-4833-bcf0-1c592e481d3f"
+ "7bf28eaf-1633-48f0-9a8a-02f8fe5c4117"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "ae2a959c-5d23-4531-9bac-4d7a7b435bab"
+ "894ea3cc-4f84-4a23-b018-bd56a6d2f4e2"
],
"x-ms-correlation-request-id": [
- "ae2a959c-5d23-4531-9bac-4d7a7b435bab"
+ "894ea3cc-4f84-4a23-b018-bd56a6d2f4e2"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211006Z:ae2a959c-5d23-4531-9bac-4d7a7b435bab"
+ "WESTUS2:20210413T222652Z:894ea3cc-4f84-4a23-b018-bd56a6d2f4e2"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:10:05 GMT"
+ "Tue, 13 Apr 2021 22:26:51 GMT"
],
"Content-Length": [
"972"
@@ -69,26 +66,26 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1b64dc0e-4bf6-43c4-a503-52cba30b5c47\",\r\n \"name\": \"1b64dc0e-4bf6-43c4-a503-52cba30b5c47\",\r\n \"etag\": \"\\\"c20033a2-0000-0100-0000-5fd28eae0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:10:00.3265773Z\"\r\n }\r\n}",
- "StatusCode": 201
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1b64dc0e-4bf6-43c4-a503-52cba30b5c47\",\r\n \"name\": \"1b64dc0e-4bf6-43c4-a503-52cba30b5c47\",\r\n \"etag\": \"\\\"7f037522-0000-0100-0000-60761aab0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:26:51.7254208Z\"\r\n }\r\n}",
+ "StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1b64dc0e-4bf6-43c4-a503-52cba30b5c47/actions/cd9f21e2-1718-4b8b-871e-b8d59c65f317?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzFiNjRkYzBlLTRiZjYtNDNjNC1hNTAzLTUyY2JhMzBiNWM0Ny9hY3Rpb25zL2NkOWYyMWUyLTE3MTgtNGI4Yi04NzFlLWI4ZDU5YzY1ZjMxNz9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"triggerUri\": \"https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E\"\r\n }\r\n}",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"triggerUri\": \"https://prod-08.eastus.logic.azure.com:443/workflows/854f1fc04f50415f83a359463dd60e8b/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=D7IHsTelJf8XFdhefU6mFRYjnHaa0oHkY_xWC_wW_Vs\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "6ca479a4-903d-4915-b3c9-c71952161fc8"
+ "8bfbcf8a-8d45-4ba6-9ee8-651c72534e73"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -104,20 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "4594ffa1-6146-4566-b01c-6377deafec00"
+ "5a7f6ecd-5f8a-40db-804c-5f40e0065b0f"
],
"x-ms-correlation-request-id": [
- "4594ffa1-6146-4566-b01c-6377deafec00"
+ "5a7f6ecd-5f8a-40db-804c-5f40e0065b0f"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211007Z:4594ffa1-6146-4566-b01c-6377deafec00"
+ "WESTUS2:20210413T222652Z:5a7f6ecd-5f8a-40db-804c-5f40e0065b0f"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -126,10 +123,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:10:06 GMT"
+ "Tue, 13 Apr 2021 22:26:52 GMT"
],
"Content-Length": [
- "621"
+ "600"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -138,26 +135,26 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1b64dc0e-4bf6-43c4-a503-52cba30b5c47/actions/cd9f21e2-1718-4b8b-871e-b8d59c65f317\",\r\n \"name\": \"cd9f21e2-1718-4b8b-871e-b8d59c65f317\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"826a95b1b84c4ffbaf3af3dd88fe96b5\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1b64dc0e-4bf6-43c4-a503-52cba30b5c47/actions/cd9f21e2-1718-4b8b-871e-b8d59c65f317\",\r\n \"name\": \"cd9f21e2-1718-4b8b-871e-b8d59c65f317\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"854f1fc04f50415f83a359463dd60e8b\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\"\r\n }\r\n}",
"StatusCode": 201
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1b64dc0e-4bf6-43c4-a503-52cba30b5c47/actions/ccef9243-4f96-4ec5-8042-9df44e2df452?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzFiNjRkYzBlLTRiZjYtNDNjNC1hNTAzLTUyY2JhMzBiNWM0Ny9hY3Rpb25zL2NjZWY5MjQzLTRmOTYtNGVjNS04MDQyLTlkZjQ0ZTJkZjQ1Mj9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage\",\r\n \"triggerUri\": \"https://prod-16.westus.logic.azure.com:443/workflows/18c75599cf3742c998d14af0f89cf3b1/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=rREdJWoN3PNCmhqwMz0KRy8apQDt8DQbZZuvlm1l4Oo\"\r\n }\r\n}",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage\",\r\n \"triggerUri\": \"https://prod-11.eastus.logic.azure.com:443/workflows/9f824303d57e4f00bea47052e4318d1b/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=2cGZz7eu3Y437r3LRHpkSFUTmD0X15XXP7uiW5_aLaA\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "ae32257a-83e0-47be-afed-ea8963e1b1a8"
+ "1c095789-c67c-4e11-830d-dfbfb5bae184"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -173,20 +170,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1197"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1197"
+ ],
"x-ms-request-id": [
- "5446850f-25a2-4ddd-bdb1-c1610e6760d9"
+ "0a8db22c-30f3-4c56-b295-07d2dc7b2ef0"
],
"x-ms-correlation-request-id": [
- "5446850f-25a2-4ddd-bdb1-c1610e6760d9"
+ "0a8db22c-30f3-4c56-b295-07d2dc7b2ef0"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211008Z:5446850f-25a2-4ddd-bdb1-c1610e6760d9"
+ "WESTUS2:20210413T222654Z:0a8db22c-30f3-4c56-b295-07d2dc7b2ef0"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -195,10 +192,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:10:07 GMT"
+ "Tue, 13 Apr 2021 22:26:53 GMT"
],
"Content-Length": [
- "637"
+ "616"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -207,7 +204,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1b64dc0e-4bf6-43c4-a503-52cba30b5c47/actions/ccef9243-4f96-4ec5-8042-9df44e2df452\",\r\n \"name\": \"ccef9243-4f96-4ec5-8042-9df44e2df452\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"18c75599cf3742c998d14af0f89cf3b1\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1b64dc0e-4bf6-43c4-a503-52cba30b5c47/actions/ccef9243-4f96-4ec5-8042-9df44e2df452\",\r\n \"name\": \"ccef9243-4f96-4ec5-8042-9df44e2df452\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"9f824303d57e4f00bea47052e4318d1b\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage\"\r\n }\r\n}",
"StatusCode": 201
},
{
@@ -217,16 +214,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "608fa582-fe0c-4eaa-ac17-ee76306cf32d"
+ "52f9a01b-0fc8-4e05-ae6d-1e0e52592b10"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -236,20 +233,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
"x-ms-request-id": [
- "ada96fe8-3b76-47e5-a95c-c6ad77ff3d4d"
+ "e5c8289e-54a2-4fa8-b516-6a043d7dbc81"
],
"x-ms-correlation-request-id": [
- "ada96fe8-3b76-47e5-a95c-c6ad77ff3d4d"
+ "e5c8289e-54a2-4fa8-b516-6a043d7dbc81"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211008Z:ada96fe8-3b76-47e5-a95c-c6ad77ff3d4d"
+ "WESTUS2:20210413T222654Z:e5c8289e-54a2-4fa8-b516-6a043d7dbc81"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -258,10 +255,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:10:08 GMT"
+ "Tue, 13 Apr 2021 22:26:54 GMT"
],
"Content-Length": [
- "1481"
+ "1439"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -270,7 +267,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_1b64dc0e-4bf6-43c4-a503-52cba30b5c47_cd9f21e2-1718-4b8b-871e-b8d59c65f317/actions/cd9f21e2-1718-4b8b-871e-b8d59c65f317\",\r\n \"name\": \"cd9f21e2-1718-4b8b-871e-b8d59c65f317\",\r\n \"etag\": \"\\\"2c05a571-0000-0300-0000-5fd28eae0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"826a95b1b84c4ffbaf3af3dd88fe96b5\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_1b64dc0e-4bf6-43c4-a503-52cba30b5c47_ccef9243-4f96-4ec5-8042-9df44e2df452/actions/ccef9243-4f96-4ec5-8042-9df44e2df452\",\r\n \"name\": \"ccef9243-4f96-4ec5-8042-9df44e2df452\",\r\n \"etag\": \"\\\"2c05ce71-0000-0300-0000-5fd28eb00000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"18c75599cf3742c998d14af0f89cf3b1\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n }\r\n ]\r\n}",
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_1b64dc0e-4bf6-43c4-a503-52cba30b5c47_cd9f21e2-1718-4b8b-871e-b8d59c65f317/actions/cd9f21e2-1718-4b8b-871e-b8d59c65f317\",\r\n \"name\": \"cd9f21e2-1718-4b8b-871e-b8d59c65f317\",\r\n \"etag\": \"\\\"e905ed61-0000-0300-0000-60761aac0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"854f1fc04f50415f83a359463dd60e8b\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_1b64dc0e-4bf6-43c4-a503-52cba30b5c47_ccef9243-4f96-4ec5-8042-9df44e2df452/actions/ccef9243-4f96-4ec5-8042-9df44e2df452\",\r\n \"name\": \"ccef9243-4f96-4ec5-8042-9df44e2df452\",\r\n \"etag\": \"\\\"e9053062-0000-0300-0000-60761aad0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"9f824303d57e4f00bea47052e4318d1b\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage\"\r\n }\r\n }\r\n ]\r\n}",
"StatusCode": 200
},
{
@@ -280,16 +277,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "8fa9e4d6-1774-4501-bdad-0ffcb87f1105"
+ "b9de93c3-a571-442e-9c80-88dd4f4a5e4c"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -299,23 +296,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "e752a4ae-b2d1-4116-8163-eec5fe20e481"
+ "6176770b-4133-4b5e-a12e-ac6b5066d410"
],
"x-ms-correlation-request-id": [
- "e752a4ae-b2d1-4116-8163-eec5fe20e481"
+ "6176770b-4133-4b5e-a12e-ac6b5066d410"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211009Z:e752a4ae-b2d1-4116-8163-eec5fe20e481"
+ "WESTUS2:20210413T222654Z:6176770b-4133-4b5e-a12e-ac6b5066d410"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -324,7 +318,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:10:08 GMT"
+ "Tue, 13 Apr 2021 22:26:54 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/RemoveAction.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/RemoveAction.json
index 770a18f6502a..9fcfb34be1af 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/RemoveAction.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/RemoveAction.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "f1b4cef9-77e9-416b-b513-8227c616ff6a"
+ "c25096a9-edc9-4f67-844f-5d0247963786"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "6e87242e-035d-47ad-b18d-73af35267a05"
+ "6b0f118b-6dab-4cbd-a86a-a2536c21b8c0"
],
"x-ms-correlation-request-id": [
- "6e87242e-035d-47ad-b18d-73af35267a05"
+ "6b0f118b-6dab-4cbd-a86a-a2536c21b8c0"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211047Z:6e87242e-035d-47ad-b18d-73af35267a05"
+ "WESTUS2:20210413T222706Z:6b0f118b-6dab-4cbd-a86a-a2536c21b8c0"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:10:47 GMT"
+ "Tue, 13 Apr 2021 22:27:05 GMT"
],
"Content-Length": [
"972"
@@ -69,8 +66,8 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/d1ae0250-f1d8-4cd2-9806-e2375dd7c4ae\",\r\n \"name\": \"d1ae0250-f1d8-4cd2-9806-e2375dd7c4ae\",\r\n \"etag\": \"\\\"c200c6a6-0000-0100-0000-5fd28ed70000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:10:47.2745527Z\"\r\n }\r\n}",
- "StatusCode": 201
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/d1ae0250-f1d8-4cd2-9806-e2375dd7c4ae\",\r\n \"name\": \"d1ae0250-f1d8-4cd2-9806-e2375dd7c4ae\",\r\n \"etag\": \"\\\"7f034c23-0000-0100-0000-60761ab90000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:05.6886293Z\"\r\n }\r\n}",
+ "StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/d1ae0250-f1d8-4cd2-9806-e2375dd7c4ae/actions/4044b6d3-de80-4c37-81f2-46d96dfdd78b?api-version=2020-01-01",
@@ -79,16 +76,16 @@
"RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"triggerUri\": \"https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "9a9b2323-2f57-448a-97f7-e6d91ce13d87"
+ "4556c2fc-3fb0-4aad-8cb9-aaa0b113f607"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -104,20 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "a7a3ad25-d71e-4bd1-a60d-5f0f806ac354"
+ "cadd7a93-555d-4b6d-8581-329eca75614d"
],
"x-ms-correlation-request-id": [
- "a7a3ad25-d71e-4bd1-a60d-5f0f806ac354"
+ "cadd7a93-555d-4b6d-8581-329eca75614d"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211049Z:a7a3ad25-d71e-4bd1-a60d-5f0f806ac354"
+ "WESTUS2:20210413T222706Z:cadd7a93-555d-4b6d-8581-329eca75614d"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -126,10 +123,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:10:48 GMT"
+ "Tue, 13 Apr 2021 22:27:06 GMT"
],
"Content-Length": [
- "621"
+ "600"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -138,7 +135,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/d1ae0250-f1d8-4cd2-9806-e2375dd7c4ae/actions/4044b6d3-de80-4c37-81f2-46d96dfdd78b\",\r\n \"name\": \"4044b6d3-de80-4c37-81f2-46d96dfdd78b\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"826a95b1b84c4ffbaf3af3dd88fe96b5\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/d1ae0250-f1d8-4cd2-9806-e2375dd7c4ae/actions/4044b6d3-de80-4c37-81f2-46d96dfdd78b\",\r\n \"name\": \"4044b6d3-de80-4c37-81f2-46d96dfdd78b\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"826a95b1b84c4ffbaf3af3dd88fe96b5\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\"\r\n }\r\n}",
"StatusCode": 201
},
{
@@ -148,16 +145,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "5ea069aa-ae04-415a-b753-bbaa1e5ec92f"
+ "ff757f26-ba85-44bb-95ba-8a3f02e981d2"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -174,13 +171,13 @@
"14999"
],
"x-ms-request-id": [
- "e3df8dc9-1ab9-4040-80e6-d0a7e0321540"
+ "0bd357f7-2b01-45ff-bbf6-a5759cee27e6"
],
"x-ms-correlation-request-id": [
- "e3df8dc9-1ab9-4040-80e6-d0a7e0321540"
+ "0bd357f7-2b01-45ff-bbf6-a5759cee27e6"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211049Z:e3df8dc9-1ab9-4040-80e6-d0a7e0321540"
+ "WESTUS2:20210413T222707Z:0bd357f7-2b01-45ff-bbf6-a5759cee27e6"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -189,7 +186,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:10:49 GMT"
+ "Tue, 13 Apr 2021 22:27:06 GMT"
],
"Expires": [
"-1"
@@ -208,16 +205,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "2dc2bf21-1720-484d-a119-35b7656c3a9d"
+ "cf3e0b20-48ae-474b-90bb-0b8a45c37639"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -227,23 +224,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14998"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14998"
+ ],
"x-ms-request-id": [
- "2f95e8b9-ea6f-471f-8c25-29f033783822"
+ "b3f828bd-7a60-463c-ba24-3c67ced49c6b"
],
"x-ms-correlation-request-id": [
- "2f95e8b9-ea6f-471f-8c25-29f033783822"
+ "b3f828bd-7a60-463c-ba24-3c67ced49c6b"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211049Z:2f95e8b9-ea6f-471f-8c25-29f033783822"
+ "WESTUS2:20210413T222707Z:b3f828bd-7a60-463c-ba24-3c67ced49c6b"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -252,7 +246,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:10:49 GMT"
+ "Tue, 13 Apr 2021 22:27:06 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/UpdateAction.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/UpdateAction.json
index 3f16c62c5270..0302e1b63a9b 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/UpdateAction.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.ActionsTests/UpdateAction.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "5efe1b33-9380-494f-a985-3ff6dcba0fb8"
+ "8c2c90d4-3f6a-4c21-acf1-25780094a9ee"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "0384ca21-0888-4e8e-aa0d-045f214f9eb0"
+ "e2243ee7-fdf8-49b1-a373-f6ad3aa57b11"
],
"x-ms-correlation-request-id": [
- "0384ca21-0888-4e8e-aa0d-045f214f9eb0"
+ "e2243ee7-fdf8-49b1-a373-f6ad3aa57b11"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T212658Z:0384ca21-0888-4e8e-aa0d-045f214f9eb0"
+ "WESTUS2:20210413T222658Z:e2243ee7-fdf8-49b1-a373-f6ad3aa57b11"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,10 +54,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:26:57 GMT"
+ "Tue, 13 Apr 2021 22:26:58 GMT"
],
"Content-Length": [
- "971"
+ "972"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -69,26 +66,26 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3\",\r\n \"name\": \"1584e7a3-802c-435b-9178-5720a44be2f3\",\r\n \"etag\": \"\\\"c3009c04-0000-0100-0000-5fd292a20000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:26:54.679712Z\"\r\n }\r\n}",
- "StatusCode": 201
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3\",\r\n \"name\": \"1584e7a3-802c-435b-9178-5720a44be2f3\",\r\n \"etag\": \"\\\"7f03de22-0000-0100-0000-60761ab20000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:26:58.3797277Z\"\r\n }\r\n}",
+ "StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3/actions/91c2ea2f-f40c-4bef-ab3b-43c09e4a9699?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzE1ODRlN2EzLTgwMmMtNDM1Yi05MTc4LTU3MjBhNDRiZTJmMy9hY3Rpb25zLzkxYzJlYTJmLWY0MGMtNGJlZi1hYjNiLTQzYzA5ZTRhOTY5OT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"triggerUri\": \"https://prod-13.westus.logic.azure.com:443/workflows/826a95b1b84c4ffbaf3af3dd88fe96b5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=pK23xWl4uJT4RWs7zopxiP0Z7CpIfCDZEanL-mEyy1E\"\r\n }\r\n}",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"triggerUri\": \"https://prod-08.eastus.logic.azure.com:443/workflows/854f1fc04f50415f83a359463dd60e8b/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=D7IHsTelJf8XFdhefU6mFRYjnHaa0oHkY_xWC_wW_Vs\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "631a0705-5765-4554-af99-8ffb4005ae92"
+ "186b2991-4a92-4b3c-9753-5d0365451ed3"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -104,20 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "47d309dc-0a14-4b7d-958d-6d6237eb0e9d"
+ "d3007c7c-7628-42f9-81f3-5257f4f1d42d"
],
"x-ms-correlation-request-id": [
- "47d309dc-0a14-4b7d-958d-6d6237eb0e9d"
+ "d3007c7c-7628-42f9-81f3-5257f4f1d42d"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T212659Z:47d309dc-0a14-4b7d-958d-6d6237eb0e9d"
+ "WESTUS2:20210413T222659Z:d3007c7c-7628-42f9-81f3-5257f4f1d42d"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -126,10 +123,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:26:59 GMT"
+ "Tue, 13 Apr 2021 22:26:59 GMT"
],
"Content-Length": [
- "621"
+ "600"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -138,26 +135,26 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3/actions/91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"name\": \"91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"826a95b1b84c4ffbaf3af3dd88fe96b5\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3/actions/91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"name\": \"91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"854f1fc04f50415f83a359463dd60e8b\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\"\r\n }\r\n}",
"StatusCode": 201
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3/actions/91c2ea2f-f40c-4bef-ab3b-43c09e4a9699?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzE1ODRlN2EzLTgwMmMtNDM1Yi05MTc4LTU3MjBhNDRiZTJmMy9hY3Rpb25zLzkxYzJlYTJmLWY0MGMtNGJlZi1hYjNiLTQzYzA5ZTRhOTY5OT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage\",\r\n \"triggerUri\": \"https://prod-16.westus.logic.azure.com:443/workflows/18c75599cf3742c998d14af0f89cf3b1/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=rREdJWoN3PNCmhqwMz0KRy8apQDt8DQbZZuvlm1l4Oo\"\r\n }\r\n}",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage\",\r\n \"triggerUri\": \"https://prod-11.eastus.logic.azure.com:443/workflows/9f824303d57e4f00bea47052e4318d1b/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2018-07-01-preview&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=2cGZz7eu3Y437r3LRHpkSFUTmD0X15XXP7uiW5_aLaA\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "ecd2e580-c3e1-47fa-9e18-93cfabff5969"
+ "b872603a-0e9b-460d-ab6b-d7e309dfca25"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -173,20 +170,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1197"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1197"
+ ],
"x-ms-request-id": [
- "a51d1af7-4e84-4c69-85de-5a9c1e851354"
+ "c50a7d98-f76c-4b69-bf3e-2cea82e11be7"
],
"x-ms-correlation-request-id": [
- "a51d1af7-4e84-4c69-85de-5a9c1e851354"
+ "c50a7d98-f76c-4b69-bf3e-2cea82e11be7"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T212700Z:a51d1af7-4e84-4c69-85de-5a9c1e851354"
+ "WESTUS2:20210413T222700Z:c50a7d98-f76c-4b69-bf3e-2cea82e11be7"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -195,10 +192,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:27:00 GMT"
+ "Tue, 13 Apr 2021 22:27:00 GMT"
],
"Content-Length": [
- "637"
+ "616"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -207,7 +204,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3/actions/91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"name\": \"91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"18c75599cf3742c998d14af0f89cf3b1\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3/actions/91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"name\": \"91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"9f824303d57e4f00bea47052e4318d1b\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Get-MDATPInvestigationPackage\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -217,16 +214,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "fd8e67a7-35ac-47ad-8105-195ee5aed493"
+ "b872603a-0e9b-460d-ab6b-d7e309dfca25"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -236,20 +233,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
"x-ms-request-id": [
- "ab12c248-f7ff-423f-9a33-5ce88914b165"
+ "78f37b1a-ec1a-4e9c-a9d9-2e4c02b64cd7"
],
"x-ms-correlation-request-id": [
- "ab12c248-f7ff-423f-9a33-5ce88914b165"
+ "78f37b1a-ec1a-4e9c-a9d9-2e4c02b64cd7"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T212659Z:ab12c248-f7ff-423f-9a33-5ce88914b165"
+ "WESTUS2:20210413T222700Z:78f37b1a-ec1a-4e9c-a9d9-2e4c02b64cd7"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -258,10 +255,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:26:59 GMT"
+ "Tue, 13 Apr 2021 22:27:00 GMT"
],
"Content-Length": [
- "671"
+ "650"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -270,7 +267,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3/actions/91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"name\": \"91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"etag\": \"\\\"2c051fd2-0000-0300-0000-5fd292a30000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"826a95b1b84c4ffbaf3af3dd88fe96b5\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\",\r\n \"operatesOn\": \"Alert\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/1584e7a3-802c-435b-9178-5720a44be2f3/actions/91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"name\": \"91c2ea2f-f40c-4bef-ab3b-43c09e4a9699\",\r\n \"etag\": \"\\\"e9051464-0000-0300-0000-60761ab30000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules/actions\",\r\n \"properties\": {\r\n \"workflowId\": \"854f1fc04f50415f83a359463dd60e8b\",\r\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.Logic/workflows/Block-AADUser\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -280,16 +277,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "c7ce8373-d85a-4b17-b1e9-6033d9c1dbc2"
+ "a5587f02-d665-49ae-a2a9-3a92686da545"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -299,23 +296,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "ca12c214-7467-46ed-bc72-95d214c16e99"
+ "6fe713de-65c6-4823-b2eb-cdb8d4aef596"
],
"x-ms-correlation-request-id": [
- "ca12c214-7467-46ed-bc72-95d214c16e99"
+ "6fe713de-65c6-4823-b2eb-cdb8d4aef596"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T212701Z:ca12c214-7467-46ed-bc72-95d214c16e99"
+ "WESTUS2:20210413T222701Z:6fe713de-65c6-4823-b2eb-cdb8d4aef596"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -324,7 +318,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:27:00 GMT"
+ "Tue, 13 Apr 2021 22:27:00 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRuleTemplatesTests/Get.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRuleTemplatesTests/Get.json
index 0a056419d82b..73aac1684c3b 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRuleTemplatesTests/Get.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRuleTemplatesTests/Get.json
@@ -7,16 +7,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "2cca60e0-2c00-46ba-b757-af7fd3f20370"
+ "6b96737e-e99b-43a1-864b-68a4a3104e3f"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -26,20 +26,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
"x-ms-request-id": [
- "127a4fe5-5121-48c8-8c27-ddabf7ccdaa3"
+ "55965c85-f1e5-459c-a6cd-eee7239f85bd"
],
"x-ms-correlation-request-id": [
- "127a4fe5-5121-48c8-8c27-ddabf7ccdaa3"
+ "55965c85-f1e5-459c-a6cd-eee7239f85bd"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T214404Z:127a4fe5-5121-48c8-8c27-ddabf7ccdaa3"
+ "WESTUS2:20210413T224637Z:55965c85-f1e5-459c-a6cd-eee7239f85bd"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -48,10 +48,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:44:03 GMT"
+ "Tue, 13 Apr 2021 22:46:37 GMT"
],
"Content-Length": [
- "517052"
+ "800430"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -60,26 +60,26 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\r\n \"name\": \"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated >= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated >= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Full Admin policy created and then attached to Roles, Users or Groups\",\r\n \"description\": \"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\r\n \"tactics\": [\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\r\n \"name\": \"fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nSymantecProxySG\\n| where TimeGenerated >= timeframe\\n| mv-expand cs_categories\\n| where cs_categories has_any (\\\"Suspicious\\\",\\\"phishing\\\", \\\"hacking\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User Accessed Suspicious URL Categories\",\r\n \"description\": \"Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecProxySG\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"name\": \"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center for IoT\",\r\n \"displayName\": \"Create incidents based on Azure Security Center for IoT alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Security Center for IoT\",\r\n \"lastUpdatedDateUTC\": \"2019-12-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"IoT\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (ASC for IoT)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 2\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\r\n \"name\": \"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName == \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount > threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\\n| where OperationName == \\\"Consent to application\\\"\\n| extend IpAddress = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)), \\ntostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType , CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 3,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare application consent\",\r\n \"description\": \"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"LateralMovement\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-04T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\r\n \"name\": \"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated,\\nTI_ipEntity, CallerIpAddress, Caller, OperationName, ActivityStatus, Category, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AzureActivity\",\r\n \"description\": \"Identifies a match in AzureActivity from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\r\n \"name\": \"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Office 365 Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Office 365 Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Office 365 Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2020-09-01T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OfficeATP\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (OATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 1\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\r\n \"name\": \"106813db-679e-4382-a51b-1bfc463befc3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CSL_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CSL_TimeGenerated, PA_Url, DeviceName\\n| extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to PaloAlto data\",\r\n \"description\": \"Identifies a match in PaloAlto data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\r\n \"name\": \"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated > ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 3 downloads/uploads from a new user agent today\\n| where recentCount > threshold;\\nOfficeActivity \\n| where TimeGenerated > ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SharePointFileOperation via devices with previously unseen user agents\",\r\n \"description\": \"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\r\n \"name\": \"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData = \\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from ago(starttime) to ago(endtime) step timeframe by Process;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total > TotalEventsThreshold;\\nTimeSeriesAlerts\\n| join (\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated \\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score \\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Process execution frequency anomaly\",\r\n \"description\": \"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors. \\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns. \\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\r\n \"name\": \"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (ago(starttime)..ago(endtime))\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds > TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents > TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent > PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Palo Alto - potential beaconing detected\",\r\n \"description\": \"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c775a46b-21b1-46d7-afa6-37e3e577a27b\",\r\n \"name\": \"c775a46b-21b1-46d7-afa6-37e3e577a27b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 15;\\nSymantecVIP\\n| where TimeGenerated > timeframe\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\\n| where Total > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Failed Authentication from Invalid Inputs\",\r\n \"description\": \"Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecVIP\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\r\n \"name\": \"69a45b05-71f5-45ca-8944-2e038747fb39\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n) on Account\\n// Make sure that the first connection is after the second connection --> SecondHop > FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --> FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --> FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop > FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop <= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount >= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"RDP Nesting\",\r\n \"description\": \"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \\nto another system with the same account within the 60 minutes. Additionally, if historically daily \\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\r\n \"name\": \"cf3ede88-a429-493b-9108-3e46d3c741f7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated > ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess >= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SecurityEvent - Multiple authentication failures followed by a success\",\r\n \"description\": \"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\r\n \"name\": \"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to AWS Security Group ingress and egress settings\",\r\n \"description\": \"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\r\n \"name\": \"84cf1d59-f620-4fee-b569-68daf7008b7b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 10;\\nQualysHostDetection_CL\\n| where TimeGenerated >= timeframe\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s >= threshold\\n| extend timestamp = StartTime\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"New High Severity Vulnerability Detected Across Multiple Hosts\",\r\n \"description\": \"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"QualysVulnerabilityManagement\",\r\n \"dataTypes\": [\r\n \"QualysHostDetection_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\r\n \"name\": \"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable/remove policy\\n| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"AntiPhish\\\", \\\"SafeAttachment\\\", \\\"SafeLinks\\\", \\\"Dlp\\\", \\\"Audit\\\")\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Office policy tampering\",\r\n \"description\": \"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\r\n \"name\": \"2b701288-b428-4fb8-805e-e4372c574786\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\nlet timeRange = 30d;\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60min; \\n//Get Teams successful signins globally\\nlet signinData =\\n SigninLogs\\n | where TimeGenerated >= ago(timeRange)\\n | where AppDisplayName has \\\"Teams\\\"\\n | where ConditionalAccessStatus =~ \\\"success\\\"\\n | extend country = tostring(LocationDetails['countryOrRegion'])\\n | where isnotempty(country) and isnotempty(IPAddress);\\n// Collect successful signins to teams\\nlet loginEvents = \\n signinData\\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n//Calcualte delta between logins\\nlet loginDelta =\\n loginEvents\\n | summarize max(count_), min(count_) by UserPrincipalName\\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\\n | where delta >= deltaThreshold;\\n//Count number of countries used to sign in\\nlet countryCount =\\n loginEvents\\n | summarize Countries = dcount(country) by UserPrincipalName;\\n//Join delta and sign in counts to successful logins\\nloginDelta\\n| join kind=rightouter (\\n loginEvents\\n) on UserPrincipalName\\n| join kind=rightouter (\\n countryCount\\n) on UserPrincipalName\\n//Check where the record meets the minimum required countries\\n| where Countries >= minimumCountries\\n| join kind=leftouter (\\n signinData\\n | summarize count() by country\\n | join (\\n //Now get the total number of logins from any country and join it to the previous count in a single table\\n signinData\\n | summarize count() by country\\n | summarize sum(count_), make_list(country)\\n | mv-expand list_country\\n | extend country = tostring(list_country)\\n ) on country\\n | summarize by country, count_, sum_count_\\n //Now calculate each countries prevalence within login events\\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\\n | project-away sum_count_\\n | order by prevalence\\n) on country\\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\\n| where prevalence < countryPrevalenceThreshold\\n| where min_count_ == count_\\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\\n| extend EventTimes = list_TimeGenerated\\n| extend SuspiciousIP = IPAddress\\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\\n//Teams join to collect operations the user account has performed within the given time range\\n| join kind=inner( \\n TeamsData \\n | where TimeGenerated >= ago(timeRange)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\\n) on $left.UserPrincipalName == $right.UserId\\n| mv-expand StartTime = EventTimes\\n| extend StartTime = make_datetime(StartTime)\\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\\n//Limit to operations carried out by the user account in the timeframe the IP was active\\n| where OperationTime between (StartTime .. ProjectedEndTime)\\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n//Filter on suspicious actions\\n| extend activitySummary = pack(tostring(StartTime), pack(\\\"Operation\\\",tostring(Operation), \\\"OperationTime\\\", OperationTime))\\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous login followed by Teams action\",\r\n \"description\": \"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\r\n \"name\": \"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// Replace these with the usename or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic(['vip1@email.com','vip2@email.com']);\\nlet timeframe = 1d;\\nLAQueryLogs\\n| where TimeGenerated > ago(timeframe)\\n| where QueryText has_any (vips)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Users searching for VIP user activity\",\r\n \"description\": \"This query monitors for users running Log Analytics queries that contain filters \\nfor specific, defined VIP user accounts. Use this detection to alert for users specifically \\nsearching for activity of sensitive users.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-23T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(Query Audit)\",\r\n \"dataTypes\": [\r\n \"LAQueryLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\r\n \"name\": \"223db5c1-1bf8-47d8-8806-bed401b356a4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet azPortalSignins = materialize(SigninLogs\\n| where TimeGenerated >= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated >= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated >= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName, Id\\n| where TimeGenerated > TimeGenerated1\\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated >= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend FullLocation = strcat(Location,'|', LocationDetails.state, '|', LocationDetails.city)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation\\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed login attempts to Azure Portal\",\r\n \"description\": \"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\r\n \"name\": \"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Security Event log cleared\",\r\n \"description\": \"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\r\n \"name\": \"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookBack_long = 14d;\\nlet lookBack_med = 7d;\\nlet lookBack = 1d;\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack_long))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope > 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack_med))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n| top 50 by Slope desc\\n| where Slope > 0.3\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n| where Slope > 5\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous sign-in location by user account and authenticating application\",\r\n \"description\": \"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 7-day and 14-day periods.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\r\n \"name\": \"ec21493c-2684-4acd-9bc2-696dbad72426\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated > ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, '.')\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC's that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n | where DeviceVendor =~ 'Palo Alto Networks'\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, '.')\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CSL_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CSL_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to PaloAlto\",\r\n \"description\": \"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\r\n \"name\": \"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet timeRange = 1d;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| where TimeGenerated >= ago(timeRange)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName contains \\\"Azure Portal\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Brute force attack against Azure Portal\",\r\n \"description\": \"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a9956d3a-07a9-44a6-a279-081a85020cae\",\r\n \"name\": \"a9956d3a-07a9-44a6-a279-081a85020cae\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 15;\\nlet rejectedAccess = SymantecVIP\\n| where TimeGenerated > timeframe\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\\n| where Total > threshold\\n| project ClientIP;\\nSymantecVIP\\n| where TimeGenerated > timeframe\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| join kind=inner rejectedAccess() on ClientIP\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ClientDeniedAccess\",\r\n \"description\": \"Creates an incident in the event a Client has an excessive amounts of denied access requests.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecVIP\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\r\n \"name\": \"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = SecurityEvent \\n| where TimeGenerated > ago(timeframe)\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, \\nGroupAddTargetUserName = TargetUserName, GroupAddTargetDomainName = TargetDomainName, GroupAddTargetSid = TargetSid, \\nGroupAddSubjectUserName = SubjectUserName, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\\nlet GroupCreated = SecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, \\nGroupCreateTargetUserName = TargetUserName, GroupCreateTargetDomainName = TargetDomainName, GroupCreateSubjectUserName = SubjectUserName, \\nGroupCreateSubjectDomainName = SubjectDomainName, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectUserName, HostCustomEntity = GroupCreateComputer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Group added to built in domain local or global group\",\r\n \"description\": \"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\r\n \"name\": \"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| project TimeGenerated, OperationName, Resource, CallerIPAddress \\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(timeframe)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s \\n) on Resource, TimeGenerated \\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure Key Vault access TimeSeries anomaly\",\r\n \"description\": \"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm \\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an \\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\r\n \"name\": \"884c4957-70ea-4f57-80b9-1bca3890315b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeFrame = 1d;\\nlet timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where TimeGenerated >= ago(timeFrame)\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"&\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"&\\\")[0]),tostring(split(csUriQuery, \\\"&\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount >= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of failed logons by a user\",\r\n \"description\": \"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8b8aec75-dc5e-4661-bc0c-9e4fff6aad02\",\r\n \"name\": \"8b8aec75-dc5e-4661-bc0c-9e4fff6aad02\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"T1027\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": [\r\n {\r\n \"supportedValues\": [\r\n \"Highly Confidential to Confidential\",\r\n \"Highly Confidential to General\",\r\n \"Highly Confidential to Public\",\r\n \"Highly Confidential to Archive\",\r\n \"Confidential to General\",\r\n \"Confidential to Public\",\r\n \"Confidential to Archive\",\r\n \"General to Public\",\r\n \"General to Archive\",\r\n \"Public to Archive\"\r\n ],\r\n \"values\": [\r\n \"Highly Confidential to General\",\r\n \"Highly Confidential to Public\",\r\n \"Highly Confidential to Archive\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Document sensitivity label change\",\r\n \"description\": \"Sensitivity labels are security settings that have been automatically or manually applied to your files.\\nSometimes it is normal to change the labels of files.\\nChoose which label changes are severe enough to generate anomalies.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n },\r\n {\r\n \"supportedValues\": [\r\n \".doc\",\r\n \".docm\",\r\n \".docx\",\r\n \".dot\",\r\n \".dotm\",\r\n \".dotx\"\r\n ],\r\n \"values\": [\r\n \".doc\",\r\n \".docx\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Document type\",\r\n \"description\": \"Choose which document types to include or exclude from this rule.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n },\r\n {\r\n \"supportedValues\": [\r\n \"Discover, open, remove protection\",\r\n \"Discover, open, remove label\",\r\n \"Discover, open, downgrade label\",\r\n \"Discover, remove protection\",\r\n \"Discover, remove label\",\r\n \"Discover, downgrade label\"\r\n ],\r\n \"values\": [\r\n \"Discover, open, remove protection\",\r\n \"Discover, open, downgrade label\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Document action sequence\",\r\n \"description\": \"Document action sequence is the order of events that occurred while changes were made to these files. Based on the way you normally interact with your files, you may choose which actions are flagged as anomalous.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"singleSelectObservations\": [\r\n {\r\n \"supportedValues\": [\r\n \"Include\",\r\n \"Exclude\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"value\": \"Include\",\r\n \"name\": \"Private IP\",\r\n \"description\": \"Private IP relates to the status of the IP address where the operation occurred. Choose to either include or exclude operations from Private IPs.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"prioritizeExcludeObservations\": [\r\n {\r\n \"prioritize\": \"[60-100]\",\r\n \"exclude\": \"[200-]\",\r\n \"dataType\": \"number\",\r\n \"name\": \"Document count\",\r\n \"description\": \"Document count is the number of files that were involved in a particular downgrade operation. Choose a number that would indicate an unusual number of files to be edited in one batch.\\nYou may *prioritize* a certain range of numbers and you may *exclude* a certain range of numbers.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n },\r\n {\r\n \"prioritize\": null,\r\n \"exclude\": \"financial, $hr.+$\",\r\n \"dataType\": \"string\",\r\n \"name\": \"Document name\",\r\n \"description\": \"Choose to *prioritize* or *exclude* strings that appear in the names of documents. You may enter plain text and regular expressions separated by commas.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ],\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0.3\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.3\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"PT2H\",\r\n \"displayName\": \"(Preview) Anomalous Document Mass Downgrade\",\r\n \"description\": \"Description for Anomalous mass downgrade of sensitive documents template\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-12T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureInformationProtection\",\r\n \"dataTypes\": [\r\n \"InformationProtectionLogs_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0558155e-4556-447e-9a22-828f2a7de06b\",\r\n \"name\": \"0558155e-4556-447e-9a22-828f2a7de06b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nProofPointTAPMessagesDelivered_CL\\n| where TimeGenerated >= timeframe\\n| mv-expand todynamic(threatsInfoMap_s)\\n| mv-expand todynamic(messageParts_s)\\n| extend threatType = tostring(threatsInfoMap_s.threatType), classification = tostring(threatsInfoMap_s.classification)\\n| extend filename = tostring(messageParts_s.filename)\\n| where threatType =~ \\\"attachment\\\" and classification =~ \\\"malware\\\"\\n| summarize filenames = make_set(filename), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, threatType, classification, Subject = subject_s\\n| extend timestamp = StartTime, AccountCustomEntity = Recipient, IPCustomEntity = SenderIPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware attachment delivered\",\r\n \"description\": \"This query identifies a message containing a malware attachment that was delivered.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointTAP\",\r\n \"dataTypes\": [\r\n \"ProofPointTAPMessagesDelivered_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\r\n \"name\": \"32555639-b639-4c2b-afda-c0ae0abefa55\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTimeUtc desc nulls last\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Monitor AWS Credential abuse or hijacking\",\r\n \"description\": \"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57e56fc9-417a-4f41-a579-5475aea7b8ce\",\r\n \"name\": \"57e56fc9-417a-4f41-a579-5475aea7b8ce\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nlet threshold = 1000;\\nInfobloxNIOS\\n| where TimeGenerated >= ago(timeframe)\\n| where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\\n| where count_ > threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n | where TimeGenerated >= ago(timeframe)\\n ) on ServerIP\\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential DHCP Starvation Attack\",\r\n \"description\": \"This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"InfobloxNIOS\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\r\n \"name\": \"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nDnsEvents\\n| where TimeGenerated > ago(timeframe)\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"DNS events related to mining pools\",\r\n \"description\": \"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\r\n \"name\": \"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n SigninLogs | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailRecipient column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend Region = tostring(LocationDetails[\\\"countryOrRegion\\\"]), State = tostring(LocationDetails[\\\"state\\\"]), City = tostring(LocationDetails[\\\"city\\\"])\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.UserPrincipalName\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SigninLogs\",\r\n \"description\": \"Identifies a match in SigninLogs table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\r\n \"name\": \"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n SecurityAlert\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nAlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to SecurityAlert data\",\r\n \"description\": \"Identifies a match in SecurityAlert data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\r\n \"name\": \"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet threshold = 15;\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount > threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SSH - Potential Brute Force\",\r\n \"description\": \"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\r\n \"name\": \"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| where StartTimeUtc >= ago(timeframe)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Base64 encoded Windows process command-lines\",\r\n \"description\": \"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2018-09-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\r\n \"name\": \"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n |union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map File Hash to CommonSecurityLog Event\",\r\n \"description\": \"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\r\n \"name\": \"f948a32f-226c-4116-bddd-d95e91d97eb9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Suspicious application consent similar to O365 Attack Toolkit\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-06-29T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f86885f-f31f-4e66-a39d-352771ee789e\",\r\n \"name\": \"9f86885f-f31f-4e66-a39d-352771ee789e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nCarbonBlackEvents_CL\\n| where TimeGenerated > timeframe\\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\\n| where targetApp_effectiveReputation_s =~ \\\"KNOWN_MALWARE\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Malware Detected\",\r\n \"description\": \"This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"VMwareCarbonBlack\",\r\n \"dataTypes\": [\r\n \"CarbonBlackEvents_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\r\n \"name\": \"a357535e-f722-4afe-b375-cff362b2b376\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let endtime = 1d;\\n(union isfuzzy=true\\n(OfficeActivity | where TimeGenerated >= ago(endtime) | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where TimeGenerated >= ago(endtime)\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation, UserAgent = extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string))),\\n(AzureDiagnostics\\n| where TimeGenerated >= ago(endtime)\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")))\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \\\"\\\\\\\"\\\"\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationNames = makeset(OperationName), UserAgentCount = dcount(UserAgent), \\nUserAgentList = makeset(UserAgent), RecordTypes = makeset(RecordType) by UserId, ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malformed user agent\",\r\n \"description\": \"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CommandAndControl\",\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\r\n \"name\": \"155f40c6-610d-497d-85fc-3cf06ec13256\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DestinationIPAddress in (IPList) or DNSName in~ (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) or isnotempty(DNSName)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account )\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Phosphorus group domains/IP\",\r\n \"description\": \"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 1\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\r\n \"name\": \"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to AWS Elastic Load Balancer security groups\",\r\n \"description\": \"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\r\n \"name\": \"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SigninLogs\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = AlternateSignInName\\n| extend IPCustomEntity = IPAddress\\n| extend URLCustomEntity = ClientAppUsed\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Explicit MFA Deny\",\r\n \"description\": \"User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\r\n \"name\": \"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = ago(1d);\\nlet threshold = 1;\\nSigninLogs\\n| where TimeGenerated >= timeRange\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Status = makelist(Status), StatusDetails = makelist(StatusDetails), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress) , CorrelationIds = makelist(CorrelationId) by UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), Location, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name\\n| where IPAddressCount > threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = makeset(IPAddresses), Status = makeset(Status), CorrelationIds = makeset(CorrelationIds) by StartTimeUtc, EndTimeUtc, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), Location, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Attempt to bypass conditional access rule in Azure AD\",\r\n \"description\": \"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\r\n \"name\": \"173f8699-6af5-484a-8b06-8c47ba89b380\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) > max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple Teams deleted by a single user\",\r\n \"description\": \"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Azure Sentinel.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-13T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity (Teams)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\r\n \"name\": \"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nDnsEvents\\n| where TimeGenerated > ago(timeframe)\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"DNS events related to ToR proxies\",\r\n \"description\": \"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\r\n \"name\": \"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n SecurityAlert | where TimeGenerated >= ago(dt_lookBack)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend SecurityAlert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.EntityEmail\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityAlert_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = SecurityAlert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SecurityAlert\",\r\n \"description\": \"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\r\n \"name\": \"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MLBehaviorAnalytics\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Anomalous SSH Login Detection\",\r\n \"description\": \"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Azure Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\r\n \"name\": \"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated > ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld > threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld > threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P10D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential DGA detected\",\r\n \"description\": \"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\r\n \"name\": \"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco ASA - average attack detection rate increase\",\r\n \"description\": \"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\r\n \"name\": \"500415fb-bba7-4227-a08a-9857fb61b6a7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| extend p = parse_json(Parameters)\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\n \\\"Unknown\\\"\\n ) \\n| mvexpand p\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\n| extend RedirectTo = p.Value\\n| extend ClientIPOnly = case( \\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"-\\\")[0]), \\n ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\n ClientIP\\n ) \\n| extend Port = case(\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP,\\\":\\\")[1]),\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP,\\\"-\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"]-\\\")[1]),\\n ClientIP\\n )\\n| extend ClientIP = ClientIPOnly\\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Mail redirect via ExO transport rule\",\r\n \"description\": \"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-05-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\r\n \"name\": \"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where TimeGenerated >= ago(timeframe) \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where TimeGenerated >= ago(timeframe) \\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where TimeGenerated >= ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(WireData \\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(SigninLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known IRIDIUM IP\",\r\n \"description\": \"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(WireData)\",\r\n \"dataTypes\": [\r\n \"WireData\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\r\n \"name\": \"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, '|', 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\r\n \"description\": \"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureNetworkAnalytics_CL(NSG Flow Logs)\",\r\n \"dataTypes\": [\r\n \"AzureNetworkAnalytics_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\r\n \"name\": \"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.DestinationUserID\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to CommonSecurityLog\",\r\n \"description\": \"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\r\n \"name\": \"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where TimeGenerated > ago(timeframe) \\n| where CommandLine contains \\\".decode('base64')\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Process executed from binary hidden in Base64 encoded file\",\r\n \"description\": \"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\r\n \"name\": \"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Active Directory Identity Protection\",\r\n \"displayName\": \"Create incidents based on Azure Active Directory Identity Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectoryIdentityProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (IPC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\r\n \"name\": \"2391ce61-8c8d-41ac-9723-d945b2e90720\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday >= coalesce(CountPrev7day,0)*threshold and CountToday >= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \\nSubStatus =~ '0xC000006D', 'Bad user name or password',\\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\\nSubStatus =~ '0xC0000071', 'User logon with expired password',\\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \\nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\\nSubStatus =~ '0xC0000193', 'User logon with expired account',\\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\\nSubStatus =~ '0xC0000234', 'User logon with account locked',\\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\\nstrcat('Unknown reason substatus: ', SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Windows logon failures\",\r\n \"description\": \"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\r\n \"name\": \"f2dd4a3a-ebac-4994-9499-1a859938c947\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, 'linefit')\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated \\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score;\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog \\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime))) \\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024) \\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP), DestinationPortList = make_set(DestinationPort), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB\\n| where TotalSentBytesinMB > bytessentperhourthreshold\\n),\\n(\\nVMConnection \\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime))) \\n| extend DeviceVendor = \\\"VMConnection\\\", SourceIP = SourceIp, DestinationIP = DestinationIp\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP), DestinationPortList = make_set(DestinationPort), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DestinationIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB \\n| where TotalSentBytesinMB > bytessentperhourthreshold\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc \\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies \\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP), DestinationIPList = make_set(DestinationIPList) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount \\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Time series anomaly for data size transferred to public internet\",\r\n \"description\": \"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. \\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated. \\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour. \\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\r\n \"name\": \"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"THALLIUM domains included in DCU takedown\",\r\n \"description\": \"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-01-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\r\n \"name\": \"06a9b845-6a95-4432-a78b-83919b28c375\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 25;\\nlet TimeSeriesData = CommonSecurityLog \\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n//Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score;\\n//Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order \\nTimeSeriesAlerts \\n| join (\\n CommonSecurityLog \\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP), DestinationPortlist = make_set(DestinationPort) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor \\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal > percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist), DestinationPortlist = make_set(DestinationPortlist) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 3,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Time series anomaly detection for total volume of traffic\",\r\n \"description\": \"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. \\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. \\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour. \\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Barracuda\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CheckPoint\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"F5\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\r\n \"name\": \"3533f74c-9207-4047-96e2-0eb9383be587\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Suspicious application consent for offline access\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-06-29T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\r\n \"name\": \"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 10m;\\nlet threshold = 20;\\nSecurityEvent \\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !='0xc0000064' and Account !in ('\\\\\\\\', '-\\\\\\\\-')\\n// SubStatus '0xc0000064' signifies 'Account name does not exist'\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| extend Reason = case(\\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \\nSubStatus =~ '0xC000006D', 'Bad user name or password',\\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\\nSubStatus =~ '0xC0000071', 'User logon with expired password',\\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \\nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\\nSubStatus =~ '0xC0000193', 'User logon with expired account',\\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\\nSubStatus =~ '0xC0000234', 'User logon with account locked',\\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\\nstrcat('Unknown reason substatus: ', SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount >= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed logon attempts by valid accounts within 10 mins\",\r\n \"description\": \"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\r\n \"name\": \"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n| where isnotempty(FileHashValue)\\n| join (\\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map File Hash to Security Event\",\r\n \"description\": \"Identifies a match in Security Event data from any File Hash IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\r\n \"name\": \"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n DnsEvents\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to DnsEvent\",\r\n \"description\": \"Identifies a match in DnsEvent table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\r\n \"name\": \"f110287e-1358-490d-8147-ed804b328514\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AWSCloudTrail | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AWSCloudTrail\",\r\n \"description\": \"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\r\n \"name\": \"ef88eb96-861c-43a0-ab16-f3835a97c928\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\\\$Volume){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nlet decodedPS = ProcessCreationEvents\\n| where TimeGenerated >= ago(timeframe) \\n| where CommandLine contains \\\" -encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, ' ')[0]), CommandLine\\n// Note: currently the base64_decodestring function is limited to supporting UTF8\\n| extend decodedCommand = translate('\\\\0','', base64_decodestring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\\n(decodedPS\\n| union \\n(ProcessCreationEvents\\n| where TimeGenerated >= ago(timeframe)\\n| where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\")\\n| where CommandLine !contains \\\"-encodedcommand\\\")\\n| extend StartTimeUtc = TimeGenerated\\n)\\n| where CommandLine matches regex regexEmpire\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Powershell Empire cmdlets seen in command line\",\r\n \"description\": \"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\r\n \"name\": \"643c2025-9604-47c5-833f-7b4b9378a1f5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet Suspicious_signins = \\nSigninLogs\\n| where TimeGenerated >= ago(1d)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress != \\\"127.0.0.1\\\"\\n| summarize count() by IPAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where TimeGenerated > ago(1d)\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AzureAD logons but success logon to AWS Console\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\r\n \"name\": \"7249500f-3038-4b83-8549-9cd8dfa2d498\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where TimeGenerated >= ago(timeframe) \\n| where ProviderName =~ 'OATP'\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where TimeGenerated >= ago(timeframe) \\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known PHOSPHORUS group domains/IP - October 2020\",\r\n \"description\": \"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Cisco)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (PaloAlto)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Zscaler)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Fortinet)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"OfficeATP\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (OATP)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics (Azure Firewall)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\r\n \"name\": \"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account's password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where OperationName has_any (pWord) and OperationName has_any (action)\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetResourceName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = TargetResourceName, Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type),\\n(SigninLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where OperationName =~ \\\"Sign-in activity\\\" and ResultType has_any (\\\"50125\\\", \\\"50133\\\")\\n| project TimeGenerated, AccountType = AppDisplayName, Computer = IPAddress, Account = UserPrincipalName, Type\\n)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computer = makeset(Computer), AccountType = makeset(AccountType), Total=count() by Account, Type\\n| where Total > PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computer = makeset(Computer), Account = tostring(makeset(Account)), AccountType = makeset(AccountType), Total=count() by Type\\n| where Total > TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = tostring(Computer)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple Password Reset by user\",\r\n \"description\": \"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-09-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\r\n \"name\": \"327cd4ed-ca42-454b-887c-54e1c91363c6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Microsoft Defender Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Microsoft Defender Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Microsoft Defender Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-10-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftDefenderAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (MDATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 1\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\r\n \"name\": \"44a555d8-ecee-4a25-95ce-055879b4b14b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeFrame = 1d;\\nlet timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| where TimeGenerated >= ago(timeFrame)\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount >= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of connections by client IP on many ports\",\r\n \"description\": \"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\r\n \"name\": \"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n AuditLogs\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nAudit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to AuditLogs\",\r\n \"description\": \"Identifies a match in AuditLogs from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\r\n \"name\": \"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let szOperationNames = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatus), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationName, Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope > 0.2\\n| join kind=leftsemi (\\n// Last day's activity is anomalous\\nAzureActivity\\n| where TimeGenerated >= startofday(ago(endtime))\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatus), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationName, Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope > 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatus), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious number of resource creation or deployment activities\",\r\n \"description\": \"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-18T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\r\n \"name\": \"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 10;\\nQualysHostDetection_CL\\n| where TimeGenerated >= timeframe\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ >= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High Number of Urgent Vulnerabilities Detected\",\r\n \"description\": \"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"QualysVulnerabilityManagement\",\r\n \"dataTypes\": [\r\n \"QualysHostDetection_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\r\n \"name\": \"39198934-62a0-4781-8416-a81265c03fd6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Suspicious application consent similar to PwnAuth\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-06-29T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\r\n \"name\": \"f71aba3d-28fb-450b-b192-4e76a83015c8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Fusion\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"displayName\": \"Advanced Multistage Attack Detection\",\r\n \"description\": \"Using Fusion technology based on machine learning, Azure Sentinel automatically detects multistage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nThere are a total of 70 Fusion incident types detected by Azure Sentinel.\\n- 65 of these show the combination of suspicious Azure Active Directory sign-in events followed by anomalous Office 365 activity. Out of these 65, 30 are in public preview. \\n- The remaining five incident types show the combination of anomalous signals from Microsoft Defender Advanced Threat Protection and from Palo Alto Networks firewalls. These five types are all in public preview.\\n\\nTo detect these multistage attacks, the following data connectors must be configured:\\n- Azure Active Directory Identity Protection.\\n- Microsoft Cloud App Security.\\n- Microsoft Defender Advanced Threat Protection.\\n- Palo Alto Networks.\\n\\nFor a full list and description of each scenario that is supported for these multistage attacks, go to https://aka.ms/SentinelFusion.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"CommandAndControl\",\r\n \"DefenseEvasion\",\r\n \"Discovery\",\r\n \"Execution\",\r\n \"Exfiltration\",\r\n \"Impact\",\r\n \"InitialAccess\",\r\n \"LateralMovement\",\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-09T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\r\n \"name\": \"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated > ago(2*timeframe) \\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectUserName, TargetSid, SubjectUserSid \\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated > ago(timeframe) \\n // A user account was disabled \\n | where EventID == 4725\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid \\n) on Computer, TargetUserName\\n| where deletionTime - creationTime < spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) >= threshold\\n| project TimeDelta, creationTime, CreateEventID, Computer, TargetUserName, UserPrincipalName, AccountUsedToCreate, \\ndeletionTime, DeleteEventID, AccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account enabled and disabled within 10 mins\",\r\n \"description\": \"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\r\n \"name\": \"75bf9902-0789-47c1-a5d8-f57046aa72df\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]);\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents \\n| where TimeGenerated >= ago(timeframe)\\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware in the recycle bin\",\r\n \"description\": \"Identifies malware that has been hidden in the recycle bin.\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2018-09-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\r\n \"name\": \"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nAzureActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where OperationName in (operationList)\\n| where ActivityStatus == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationName, ActivityStatus, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Creation of expensive computes in Azure\",\r\n \"description\": \"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\r\n \"name\": \"aac495a9-feb1-446d-b08e-a1164a539452\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"ThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(24h)\\n| where Action == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | where TimeGenerated >= ago(24h)\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"TI map IP entity to GitHub_CL\",\r\n \"description\": \"Identifies a match in GitHub_CL table from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34663177-8abf-4db1-b0a4-5683ab273f44\",\r\n \"name\": \"34663177-8abf-4db1-b0a4-5683ab273f44\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 20;\\nPulseConnectSecure\\n| where TimeGenerated >= timeframe\\n| where Messages contains \\\"Login failed\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\\n| where count_ > threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"PulseConnectSecure - Potential Brute Force Attempts\",\r\n \"description\": \"This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PulseConnectSecure\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\r\n \"name\": \"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to Amazon VPC settings\",\r\n \"description\": \"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\r\n \"tactics\": [\r\n \"PrivilegeEscalation\",\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\r\n \"name\": \"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let szOperationNames = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationName, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated > ago(endtime)\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatus = makeset(ActivityStatus), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious Resource deployment\",\r\n \"description\": \"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\r\n \"name\": \"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = 'FileUploaded';\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic(['exe', 'inf', 'gzip', 'cmd', 'bat']);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated >= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount > threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])\\n| extend UserIdUserFolderFormat = tolower(replace('@|\\\\\\\\.', '_',UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"New executable via Office FileUploaded Operation\",\r\n \"description\": \"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes 'exe', 'inf', 'gzip', 'cmd', 'bat' file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-03-02T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\r\n \"name\": \"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated > ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount > threshold;\\nOfficeActivity \\n| where TimeGenerated >= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SharePointFileOperation via previously unseen IPs\",\r\n \"description\": \"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\r\n \"name\": \"871ba14c-88ef-48aa-ad38-810f26760ca3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 7d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where Operation =~ \\\"Set-Mailbox\\\"\\n| where Parameters has \\\"ForwardingSmtpAddress\\\"\\n| extend parsed = parse_json(Parameters)\\n| mv-expand parsed\\n| where parsed.Name == \\\"ForwardingSmtpAddress\\\"\\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\\n| where isnotempty(fwdingDestination)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\" and ClientIP has ':', tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\".\\\" and ClientIP has '-', tostring(split(ClientIP,\\\"-\\\")[0]), \\nClientIP has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has ':', tostring(split(ClientIP_,\\\":\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has '-', tostring(split(ClientIP_,\\\"-\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\" and ClientIP has ':', tostring(split(ClientIP,\\\":\\\")[1]), \\nClientIP has \\\".\\\" and ClientIP has '-', tostring(split(ClientIP,\\\"-\\\")[1]), \\nClientIP has ']-', tostring(split(ClientIP,\\\"]-\\\")[1]), \\nClientIP has ']:', tostring(split(ClientIP,\\\"]:\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has ':', tostring(split(ClientIP_,\\\":\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has '-', tostring(split(ClientIP_,\\\"-\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has ']-', tostring(split(ClientIP_,\\\"]-\\\")[1]),\\nisempty(ClientIP) and ClientIP_ has ']:', tostring(split(ClientIP_,\\\"]:\\\")[1]),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \\nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \\n| where DistinctUserCount > 1\\n| mv-expand UserId\\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple users email forwarded to same destination\",\r\n \"description\": \"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/427e4c9e-8cf4-4094-a684-a2d060dbca38\",\r\n \"name\": \"427e4c9e-8cf4-4094-a684-a2d060dbca38\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 50;\\nSophosXGFirewall\\n| where TimeGenerated >= timeframe\\n| where Log_Type =~ \\\"Firewall\\\"\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\\n| where dcount_Dst_Port > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Port Scan Detected\",\r\n \"description\": \"This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SophosXGFirewall\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\r\n \"name\": \"4b93c5af-d20b-4236-b696-a28b8c51407f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated > ago(2*timeframe) \\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectUserName, TargetSid, SubjectUserSid \\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated > ago(timeframe) \\n // A user account was deleted \\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid \\n) on Computer, TargetUserName\\n| where deletionTime - creationTime < spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) >= threshold\\n| project TimeDelta, creationTime, CreateEventID, Computer, TargetUserName, UserPrincipalName, AccountUsedToCreate, \\ndeletionTime, DeleteEventID, AccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account created and deleted within 10 mins\",\r\n \"description\": \"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\r\n \"name\": \"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nlet PrivateIPregex = @\\\"^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\\\"; // exclude destinations that fall into this category\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated > ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n// sort into source->destination 'sessions'\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds > TimeDeltaThresholdInSeconds\\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// summarize the deltas by source->destination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers > 1.5 or outliers < -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev < MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount > TotalBeaconsThreshold and (sum_SentBytes > 0 or sum_ReceivedBytes > 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity >= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Fortinet - Beacon pattern detected\",\r\n \"description\": \"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-31T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\r\n \"name\": \"e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet FailureThreshold = 15;\\nlet FailedEvents = Okta_CL\\n| where TimeGenerated > timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where dcount_actor_alternateId_s > FailureThreshold\\n| project client_ipAddress_s, TimeGenerated;\\nOkta_CL\\n| where TimeGenerated > timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\\n| sort by TimeGenerated desc\\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential Password Spray Attack\",\r\n \"description\": \"This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\r\n \"name\": \"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeRange = 1d;\\nlet s_threshold = 30;\\nlet l_threshold = 3;\\nSigninLogs\\n| where TimeGenerated >= ago(timeRange)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser \\n| extend LocationString= strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated),LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount > s_threshold and LocationCount >= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Distributed Password cracking attempts in AzureAD\",\r\n \"description\": \"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\r\n \"name\": \"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n OfficeActivity\\n | where TimeGenerated >= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, ';')[0])\\n | extend Office_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Office_TimeGenerated, Url, User\\n| extend timestamp = Office_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to OfficeActivity data\",\r\n \"description\": \"Identifies a match in OfficeActivity data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\r\n \"name\": \"a35f2c18-1b97-458f-ad26-e033af18eb99\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\n// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nSecurityEvent \\n| where TimeGenerated > ago(timeframe)\\n// When MemberName contains '-' this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = tostring(split(tostring(split(MemberName, \\\",\\\")[0]),\\\"CN=\\\")[1])\\n| project StartTimeUtc = TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account added to built in domain local or global group\",\r\n \"description\": \"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\r\n \"name\": \"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n SecurityAlert\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\", 1, tolower(Entities))\\n | where isnotempty(domain)\\n | extend parts = split(domain, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column extract hostname and IP address\\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\\n | extend HostName = iif(EntityType == 'host', EntityHostName, '')\\n | extend IP_addr = iif(EntityType == 'ip', EntityAddress, '')\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to SecurityAlert\",\r\n \"description\": \"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\r\n \"name\": \"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Squid proxy events for ToR proxies\",\r\n \"description\": \"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\r\n \"name\": \"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod; \\nlet GitHubFailedSSOLogins = (SigninLogs \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType == 50056); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime) \\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, tostring(set_IPAddress)\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity \\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime > LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Brute Force Attack against GitHub Account\",\r\n \"description\": \"Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\r\n \"name\": \"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"ThreatIntelligence\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Microsoft Threat Intelligence Analytics\",\r\n \"description\": \"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity and are turned ON by default. \\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-15T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\r\n \"name\": \"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where TimeGenerated > ago(timeframe)\\n| where Facility contains 'auth' and ProcessName != 'sudo'\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ > signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nSigninLogs\\n| where TimeGenerated > ago(timeframe)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed host logons but success logon to AzureAD\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\r\n \"name\": \"45b903c5-6f56-4969-af10-ae62ac709718\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare RDP Connections\",\r\n \"description\": \"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-01-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\r\n \"name\": \"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent =\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * 'TicketEncryptionType\\\">' TicketEncryptionType \\\"<\\\" *\\n| where TicketEncryptionType == '0x17'\\n| parse EventData with * 'TicketOptions\\\">' TicketOptions \\\"<\\\" *\\n| where TicketOptions == '0x40810000'\\n| parse EventData with * 'Status\\\">' Status \\\"<\\\" *\\n| where Status == '0x0'\\n| parse EventData with * 'ServiceName\\\">' ServiceName \\\"<\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * 'TargetUserName\\\">' TargetUserName \\\"<\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * 'IpAddress\\\">::ffff:' ClientIPAddress \\\"<\\\" *;\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h < prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated >= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h > prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential Kerberoasting\",\r\n \"description\": \"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\r\n \"name\": \"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n Syslog\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to Syslog\",\r\n \"description\": \"Identifies a match in Syslog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\r\n \"name\": \"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1h;\\nCommonSecurityLog \\n| where TimeGenerated > ago(timeframe) \\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where AdditionalExtensions !has \\\"reason=aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where AdditionalExtensions !has \\\"reason=tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ >= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Palo Alto - possible internal to external port scanning\",\r\n \"description\": \"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\r\n \"name\": \"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe =1d;\\nlet EventCountThreshold = 25;\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ > EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Mass secret retrieval from Azure Key Vault\",\r\n \"description\": \"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\r\n \"name\": \"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.Caller\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, Category, OperationName,\\nOperationNameValue, ActivityStatus, ResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to AzureActivity\",\r\n \"description\": \"Identifies a match in AzureActivity table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\r\n \"name\": \"910124df-913c-47e3-a7cd-29e1643fa55e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where TimeGenerated >= ago(1d)\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ > signin_threshold\\n| summarize make_list(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where TimeGenerated >= ago(1d)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AWS Console logons but success logon to AzureAD\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\r\n \"name\": \"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.UserId\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to OfficeActivity\",\r\n \"description\": \"Identifies a match in OfficeActivity table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\r\n \"name\": \"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" \\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords '}'*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords '}'*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords '}'*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\\\\\')[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malicious Inbox Rule\",\r\n \"description\": \"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\r\n \"name\": \"f2eb15bd-8a88-4b24-9281-e133edfba315\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n SigninLogs | where TimeGenerated >= ago(dt_lookBack)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend Region = tostring(LocationDetails[\\\"countryOrRegion\\\"]), State = tostring(LocationDetails[\\\"state\\\"]), City = tostring(LocationDetails[\\\"city\\\"])\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to SigninLogs\",\r\n \"description\": \"Identifies a match in SigninLogs from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\r\n \"name\": \"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n Syslog\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to Syslog data\",\r\n \"description\": \"Identifies a match in Syslog data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\r\n \"name\": \"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let startdate = 1d;\\nlet threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nlet authfail = Syslog\\n| where TimeGenerated >= ago(startdate) \\n| where Facility =~ \\\"authpriv\\\" // looks at authpriv messages\\n| where SyslogMessage contains \\\"authentication failure\\\" and SyslogMessage contains \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" ExternalIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \\n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\nlet userfail = Syslog \\n| where TimeGenerated >= ago(startdate)\\n| where Facility =~ \\\"authpriv\\\" \\n| where SyslogMessage contains \\\"user unknown\\\"\\n| project TimeGenerated, Computer, HostIP, ProcessID;\\n// Join the two log messages above\\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\\n// Extract the EventTime of the first logon attempt\\nlet firstfail = userauthfail\\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\\n// Extract the EventTime of the last logon attempt\\nlet lastfail = userauthfail\\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\\n// Count the number of failed logon attempts by External IP and internal machine\\nlet totalfails = userauthfail\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\\n// Combine total attempts with timing data from above\\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\\n| order by DestinationHost asc nulls last;\\nfinalfails \\n| where TotalLogonAttempts >= threshold\\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed logon attempts in authpriv\",\r\n \"description\": \"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d645a88-2724-41a7-adea-db74c439cf79\",\r\n \"name\": \"3d645a88-2724-41a7-adea-db74c439cf79\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 5000;\\nSophosXGFirewall\\n| where TimeGenerated >= timeframe\\n| where Log_Type =~ \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\\n| where count_ > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Amount of Denied Connections from a Single Source\",\r\n \"description\": \"This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SophosXGFirewall\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7a58b253-0ef2-4248-b4e5-c350f15a8346\",\r\n \"name\": \"7a58b253-0ef2-4248-b4e5-c350f15a8346\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 100;\\nSymantecProxySG \\n| where TimeGenerated >= timeframe\\n| where sc_filter_result =~ \\\"DENIED\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\\n| where count_ > threshold\\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Denied Proxy Traffic\",\r\n \"description\": \"This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecProxySG\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2954d424-f786-4677-9ffc-c24c44c6e7d5\",\r\n \"name\": \"2954d424-f786-4677-9ffc-c24c44c6e7d5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = ago(3h);\\nlet threshold = 2;\\nOkta_CL\\n| where published_t >= timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"\\n| where outcome_result_s =~ \\\"SUCCESS\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\\n| where NumOfCountries >= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User Login from Different Countries within 3 hours\",\r\n \"description\": \"This query searches for successful user logins to the Okta Console from different countries within 3 hours\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\r\n \"name\": \"19e01883-15d8-4eb6-a7a5-3276cd668388\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeFrame = 1d;\\nlet timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where TimeGenerated >= ago(timeFrame)\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount >= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of failed attempts from same client IP\",\r\n \"description\": \"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4915c713-ab38-432e-800b-8e2d46933de6\",\r\n \"name\": \"4915c713-ab38-432e-800b-8e2d46933de6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.'; \\nlet avgthreshold = 0;\\nlet probabilityLimit = 0.01;\\nlet startime = 7d;\\nlet ssh_logins = Syslog\\n| where TimeGenerated >= ago(startime)\\n| where Facility contains \\\"auth\\\" and ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage) \\n| where isnotempty(SourceIP)\\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\");\\nssh_logins \\n| summarize privatecount=countif(ipType==\\\"private\\\"), publiccount=countif(ipType==\\\"public\\\") by HostName, HostIP, bin(EventTime, 1d)\\n| summarize \\npublicIPLoginHistory = make_list(pack('IPCount', publiccount, 'logon_time', EventTime)),\\nprivateIPLoginHistory = make_list(pack('IPCount', privatecount, 'logon_time', EventTime)) by HostName, HostIP\\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\\n(\\n order by todatetime(publicIPLoginHistory['logon_time']) asc\\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory['IPCount'])), publicAverage=avg(toint(publicIPLoginHistory['IPCount'])), publicStd=stdev(toint(publicIPLoginHistory['IPCount'])), maxPublicLoginCount=max(toint(publicIPLoginHistory['IPCount']))\\n)\\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\\n(\\n order by todatetime(privateIPLoginHistory['logon_time']) asc\\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory['IPCount'])), privateAverage=avg(toint(privateIPLoginHistory['IPCount'])), privateStd=stdev(toint(privateIPLoginHistory['IPCount']))\\n)\\n// Some logins from private IPs\\n| where privateAverage > avgthreshold\\n// There is a non-zero number of logins from public IPs\\n| where publicAverage > avgthreshold\\n// Approximate probability of seeing login from a public IP is < 1%\\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\\n| where probabilityPublic < probabilityLimit\\n// Today has the highest number of logins from public IPs that we've seen in the last week\\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\\n| where publicLoginCountToday >= maxPublicLoginCount\\n| extend HostCustomEntity = HostName\\n// Optionally retrieve the original raw data for those logins that we've identified as potentially suspect\\n// | join kind=rightsemi (\\n// ssh_logins\\n// | where ipType == \\\"public\\\"\\n// ) on HostName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New internet-exposed SSH endpoints\",\r\n \"description\": \"Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\r\n \"name\": \"500c103a-0319-4d56-8e99-3cec8d860757\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookBack = 1d;\\nSigninLogs \\n| where TimeGenerated >= ago(lookBack)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = makeset(UserPrincipalName), \\napplicationSet = makeset(AppDisplayName) by IPAddress\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n SigninLogs\\n | where TimeGenerated >= ago(lookBack)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = makeset(UserPrincipalName, 15) by IPAddress\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount < 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where successfulAccountSigninCount != 0\\n| project StartTimeUtc, EndTimeUtc, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\r\n \"description\": \"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\r\n \"name\": \"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll = \\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime >= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime < ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New UserAgent observed in last 24 hours\",\r\n \"description\": \"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection \\nextracts words from user agents to build the baseline and determine rareity rather than perform a \\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CommandAndControl\",\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\r\n \"name\": \"d3980830-dd9d-40a5-911f-76b44dfdce16\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let RunTime = 1h;\\nSigninLogs\\n| where TimeGenerated > ago(RunTime)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName\\n| where CountOfLocations > 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"GitHub Signin Burst from Multiple Locations\",\r\n \"description\": \"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8675dd7a-795e-4d56-a79c-fc848c5ee61c\",\r\n \"name\": \"8675dd7a-795e-4d56-a79c-fc848c5ee61c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nProofPointTAPClicksPermitted_CL\\n| where TimeGenerated >= timeframe\\n| where classification_s =~ \\\"malware\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s\\n| extend timestamp = StartTime, AccountCustomEntity = Recipient, IPCustomEntity = SenderIPAddress, URLCustomEntity = URLClicked\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware Link Clicked\",\r\n \"description\": \"This query identifies a user clicking on an email link whose threat category is classified as a malware\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointTAP\",\r\n \"dataTypes\": [\r\n \"ProofPointTAPClicksPermitted_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\r\n \"name\": \"2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"eset_CL\\n| where event_type_s == \\\"Threat_Event\\\"\\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\",\r\n \"queryFrequency\": \"PT5M\",\r\n \"queryPeriod\": \"PT5M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Threats detected by Eset\",\r\n \"description\": \"Escalates threats detected by Eset.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"CredentialAccess\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-09T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"EsetSMC\",\r\n \"dataTypes\": [\r\n \"eset_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\r\n \"name\": \"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center\",\r\n \"displayName\": \"Create incidents based on Azure Security Center alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Security Center\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (ASC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\r\n \"name\": \"69b7723c-2889-469f-8b55-a2d355ed9c87\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DnsEvents | where TimeGenerated >= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\n | mvexpand SingleIP\\n | extend SingleIP = tostring(SingleIP)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to DnsEvents\",\r\n \"description\": \"Identifies a match in DnsEvents from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\r\n \"name\": \"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue\\n| project LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, \\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Microsoft COVID-19 file hash indicator matches\",\r\n \"description\": \"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884be6e7-e568-418e-9c12-89229865ffde\",\r\n \"name\": \"884be6e7-e568-418e-9c12-89229865ffde\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet FailureThreshold = 15;\\nlet FailedLogins = Okta_CL\\n| where TimeGenerated > timeframe\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where count_ > FailureThreshold\\n| project client_ipAddress_s, actor_alternateId_s;\\nOkta_CL\\n| where TimeGenerated > timeframe\\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, published_t\\n| sort by published_t desc\\n| extend timestamp = published_t, IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed Logins from Unknown or Invalid User\",\r\n \"description\": \"This query searches for numerous login attempts to the management console with an unknown or invalid user name\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\r\n \"name\": \"84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"eset_CL\\n| where event_type_s == 'FilteredWebsites_Event'\\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\",\r\n \"queryFrequency\": \"PT5M\",\r\n \"queryPeriod\": \"PT5M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Web sites blocked by Eset\",\r\n \"description\": \"Create alert on web sites blocked by Eset.\",\r\n \"tactics\": [\r\n \"Exfiltration\",\r\n \"CommandAndControl\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-09T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"EsetSMC\",\r\n \"dataTypes\": [\r\n \"eset_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\r\n \"name\": \"a04cf847-a832-4c60-b687-b0b6147da219\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where TimeGenerated >= ago(1d) \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where TimeGenerated >= ago(1d) \\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Manganese IP and UserAgent activity\",\r\n \"description\": \"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\r\n \"name\": \"4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = 1d;\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".aspx\\\", \\\".asp\\\", \\\".cfml\\\"]);\\n//The number of URI's seen to be suspicious, higher = less likely to be suspicious\\nlet uriThreshold = 1;\\nCommonSecurityLog\\n| where TimeGenerated >= ago(timeRange)\\n// Only look at connections that were allowed through the web proxy\\n| where DeviceVendor =~ \\\"Zscaler\\\" and DeviceAction =~ \\\"Allowed\\\"\\n// Only look where some data was exchanged.\\n| where SentBytes > 0 and ReceivedBytes > 0\\n// Extract the Domain\\n| extend Domain = iff(countof(DestinationHostName,'.') >= 2, strcat(split(DestinationHostName,'.')[-2], '.',split(DestinationHostName,'.')[-1]), DestinationHostName)\\n| extend GetData=iff(RequestURL == \\\"?\\\", 1, 0)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\\n// Determine the number of URIs that have been visited for the domain\\n| extend destinationURI = arraylength(list_RequestURL)\\n| where destinationURI <= uriThreshold\\n| where tostring(list_RequestURL) has_any(scriptExtensions)\\n//Remove matches with referer\\n| where max_RequestContext == \\\"\\\"\\n//Keep requests where data was trasferred either in a GET with parameters or a POST\\n| where set_RequestMethod in~ (\\\"POST\\\") or max_GetData == 1\\n//Defeat email click tracking, may increase FN's while decreasing FP's\\n| where list_RequestURL !has \\\"click\\\" and set_RequestMethod !has \\\"GET\\\"\\n| mvexpand list_RequestURL, list_DestinationIP\\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\\n//Extend custom entitites for incidents\\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Request for single resource on domain\",\r\n \"description\": \"This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL's delivered in emails. Developed for Zscaler but applicable to any outbound web logging.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\r\n \"name\": \"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Sensitive Azure Key Vault operations\",\r\n \"description\": \"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, KeyDecrypt, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\r\n \"name\": \"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MLBehaviorAnalytics\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Anomalous RDP Login Detections\",\r\n \"description\": \"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Azure Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8266f81-2715-41a6-9062-42486cbc9c73\",\r\n \"name\": \"b8266f81-2715-41a6-9062-42486cbc9c73\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nlet threshold = 200;\\nInfobloxNIOS\\n| where TimeGenerated >= ago(timeframe)\\n| where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n| where isnotempty(ResponseCode)\\n| where ResponseCode =~ \\\"NXDOMAIN\\\"\\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\\n| where count_ > threshold\\n| join kind=inner (InfobloxNIOS\\n | where TimeGenerated >= ago(timeframe)\\n | where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n | where isnotempty(ResponseCode)\\n | where ResponseCode =~ \\\"NXDOMAIN\\\"\\n ) on Client_IP\\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive NXDOMAIN DNS Queries\",\r\n \"description\": \"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"InfobloxNIOS\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\r\n \"name\": \"48607a29-a26a-4abf-8078-a06dbdd174a4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = SigninLogs\\n| where TimeGenerated >= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// collect window threshold breaches\\nSigninLogs\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName\\n| where FailedPrincipalCount >= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\n SigninLogs\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend FullLocation = strcat(Location,'|', LocationDetails.state, '|', LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches\\n| join kind= inner (\\nSigninLogs // get data on success vs. failure history for each IP\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress\\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Password spray attack against Azure AD application\",\r\n \"description\": \"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\r\n \"name\": \"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let TimeFrame = ago(1d);\\nlet Alert1 = \\nSecurityAlert\\n| where TimeGenerated > TimeFrame\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where TimeGenerated > TimeFrame\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff('minute', Alert1Time, Alert2Time)) <=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\r\n \"description\": \"When a user has both an Unfamiliar sign-in properties alert and an Atypical travel alert within 20 minutes, the alert should be handled with a higher severity\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectoryIdentityProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (IPC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\r\n \"name\": \"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 1;\\nAzureDiagnostics\\n | where TimeGenerated >= timeframe\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ >= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Several deny actions registered\",\r\n \"description\": \"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"LateralMovement\",\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\r\n \"name\": \"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Login to AWS Management Console without MFA\",\r\n \"description\": \"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\",\r\n \"PrivilegeEscalation\",\r\n \"Persistence\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\r\n \"name\": \"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe) \\n| where EventID == 4738\\n// 2089 value indicates the Don't Expire Password value has been set\\n| where UserAccountControl has \\\"%%2089\\\" \\n| extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"'Don't Expire Password' - Disabled\\\", \\\"Not Changed\\\")\\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n| extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"'Password Not Required' - Disabled\\\", \\\"Not Changed\\\")\\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n| extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"'Password Not Required' - Enabled\\\", \\\"Not Changed\\\")\\n| project StartTimeUtc = TimeGenerated, EventID, Computer, TargetUserName, TargetDomainName, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"AD account with don't expire password - disabled\",\r\n \"description\": \"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089 \\n%%2089 resolves to \\\"Don't Expire Password - Disabled\\\".\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\r\n \"name\": \"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * '\\\"MemberName\\\">' AccountAdded \\\",OU\\\" * \\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\\nlet AC_Remove = \\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * '\\\"MemberName\\\">' AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff ('second', AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed > 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Account added and removed from privileged groups\",\r\n \"description\": \"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' \",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\r\n \"name\": \"2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 8;\\nCarbonBlackNotifications_CL\\n| where TimeGenerated > timeframe\\n| where threatHunterInfo_score_d >= threshold\\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\\n| project-away count_\\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Critical Threat Detected\",\r\n \"description\": \"This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"VMwareCarbonBlack\",\r\n \"dataTypes\": [\r\n \"CarbonBlackNotifications_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\r\n \"name\": \"26a3b261-b997-4374-94ea-6c37f67f4f39\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where TimeGenerated >= ago(3d)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA1=' SHA1 ',' * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where TimeGenerated >= ago(timeframe)\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known GALLIUM domains and hashes\",\r\n \"description\": \"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\r\n \"name\": \"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated > ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name > threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name > threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare client observed with high reverse DNS lookup count\",\r\n \"description\": \"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\r\n \"name\": \"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationName == \\\"Create role assignment\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ >= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated > ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CorrelationId = makelist(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationName, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious granting of permissions to an account\",\r\n \"description\": \"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\r\n \"name\": \"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Exchange AuditLog disabled\",\r\n \"description\": \"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\r\n \"name\": \"ba144bf8-75b8-406f-9420-ed74397f9479\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet suspicious_signins = \\n SigninLogs\\n | where TimeGenerated >= ago(timeframe)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress != \\\"127.0.0.1\\\"\\n | summarize count() by IPAddress\\n | where count_ > signin_threshold\\n | summarize make_list(IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n | where TimeGenerated > ago(timeframe)\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\\\"User name: ([^,]+)\\\", 1, Message) \\n | extend ClientOS = extract(\\\"Client OS version: ([^,\\\\\\\"]+)\\\", 1, Message)\\n | extend Location = extract(\\\"Source region: ([^,]{2})\\\",1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\r\n \"description\": \"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-09-04T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\r\n \"name\": \"62085097-d113-459f-9ea7-30216f2ee6af\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 2d;\\nlet endtime = 1d;\\nSecurityEvent\\n// include yesterday and not today, so we can confirm a match occurs within the next day\\n| where TimeGenerated >= startofday(ago(starttime)) and TimeGenerated <= startofday(ago(endtime)) \\n// 4722: User Account Enabled\\n| where EventID == 4722 \\n// Removing Machine Accounts\\n| where TargetUserName !endswith \\\"$\\\" \\n| join kind= leftanti (\\n SecurityEvent\\n //verify over the last 2 days\\n | where TimeGenerated >= startofday(ago(starttime))\\n // Attempt made to change password\\n | where EventID == 4723\\n // Removing Machine Accounts\\n | where TargetUserName !endswith \\\"$\\\"\\n) on TargetUserName, TargetDomainName\\n| project StartTimeUtc = TimeGenerated, EventID, Computer, TargetUserName, TargetDomainName, SubjectUserName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P2D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"AD user created password not set within 24-48 hours\",\r\n \"description\": \"Identifies whenever a new account is created with a default password and password is not changed within 24-48 hours.\\nSimple version, can be more precise with Windowing, but not necessary if run as an alert on a daily basis.\\nEffectively, there is an event 4722 indicating a user enabled and no event 4723 indicating a password was changed within in that day or the next day.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\r\n \"name\": \"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount > triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated > ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) > dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri's and/or >=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ > 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated > ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Possible contact with a domain generated by a DGA\",\r\n \"description\": \"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Barracuda\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CheckPoint\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"F5\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\r\n \"name\": \"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet suspicious_signins =\\nSigninLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress != \\\"127.0.0.1\\\"\\n| summarize count() by IPAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons =\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AzureAD logons but success logon to host\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\r\n \"name\": \"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Microsoft Cloud App Security\",\r\n \"displayName\": \"Create incidents based on Microsoft Cloud App Security alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Microsoft Cloud App Security\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (MCAS)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\r\n \"name\": \"80733eb7-35b2-45b6-b2b8-3c51df258206\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == '200'\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Squid proxy events related to mining pools\",\r\n \"description\": \"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\r\n \"name\": \"04384937-e927-4595-8f3c-89ff58ed231f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let detectionTime = 30d;\\nlet IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where TimeGenerated > ago(detectionTime)\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != 'UserLoggedIn'\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts > 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\r\n \"queryFrequency\": \"P7D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Possible STRONTIUM attempted credential harvesting\",\r\n \"description\": \"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\r\n \"name\": \"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"Unknown\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": [\r\n {\r\n \"supportedValues\": [\r\n \"Fraction of Failed Signins\",\r\n \"(Log10) Number of Failed Signins\",\r\n \"(Log10) Failed Signins to (Log10) Successful Signins Ratio\",\r\n \"(Log10) Number of Signins with Incorrect Passwords\",\r\n \"(Log10) Incorrect Passwords to (Log10) Correct Passwords Ratio\",\r\n \"Fraction of Incorrect Password Signins\",\r\n \"Distinct Number of App Ids\",\r\n \"Distinct Number of Client Apps\",\r\n \"Distinct Number of Ip Addresses\",\r\n \"Distinct Number of Opperating Systems\",\r\n \"Distinct Number of Browsers\",\r\n \"Distinct Number of Cities\",\r\n \"Distinct Number of States\",\r\n \"Distinct Number of Countries\"\r\n ],\r\n \"values\": [\r\n \"Fraction of Failed Signins\",\r\n \"(Log10) Number of Failed Signins\",\r\n \"(Log10) Failed Signins to (Log10) Successful Signins Ratio\",\r\n \"(Log10) Number of Signins with Incorrect Passwords\",\r\n \"(Log10) Incorrect Passwords to (Log10) Correct Passwords Ratio\",\r\n \"Fraction of Incorrect Password Signins\",\r\n \"Distinct Number of App Ids\",\r\n \"Distinct Number of Client Apps\",\r\n \"Distinct Number of Ip Addresses\",\r\n \"Distinct Number of Opperating Systems\",\r\n \"Distinct Number of Browsers\",\r\n \"Distinct Number of Cities\",\r\n \"Distinct Number of States\",\r\n \"Distinct Number of Countries\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Top Reason for High Reconstruction Error\",\r\n \"description\": \"Include only anomalies where the top reason is one of these values.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0.0\",\r\n \"maximum\": \"1.0\",\r\n \"value\": \"0.5\",\r\n \"name\": \"Reconstruction Error Score\",\r\n \"description\": \"Generate an anomaly when the reconstruction error score is greater than or equal to the chosen value.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Anomalous AAD Signin-Logs Sessions\",\r\n \"description\": \"The signin-logs are grouped into sessions on a per-user basis.\\nAn autoencoder is trained on the previous 6 days worth of sessions and is then applied to sessions from the last 1 day.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\r\n \"name\": \"23de46ea-c425-4a77-b456-511ae4855d69\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic(\\n[\\\"List keys\\\", \\\"List Storage Account Keys\\\", \\\"Register Subscription\\\", \\\"Create or Update Snapshot\\\", \\\"Create or Update Network Security Group\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationName in~ (SensitiveOperationList)\\n| where ActivityStatus =~ \\\"Succeeded\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ >= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated >= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationName\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare subscription-level operations in Azure\",\r\n \"description\": \"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\r\n \"name\": \"074ce265-f684-41cd-af07-613c5f3e6d0d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| extend IPAddress = RemoteIp, Host = Computer)\\n)\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known STRONTIUM group domains - July 2019\",\r\n \"description\": \"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\r\n \"name\": \"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe) \\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetUserName), Domain = toupper(TargetDomainName), CreatedUserSid = TargetSid, AccountUsedToCreateUser = SubjectUserName\\n|join (\\nSecurityEvent \\n| where TimeGenerated > ago(timeframe) \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = TargetUserName, \\nDomain = toupper(TargetDomainName), GroupSid = TargetSid, UserAdded = SubjectUserName, UserAddedSid = SubjectUserSid, CreatedUser = tolower(SubjectUserName), \\nCreatedUserSid = MemberSid\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, Domain, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, UserAdded, UserAddedSid \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New user created and added to the built-in administrators group\",\r\n \"description\": \"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1fa1528e-f746-4794-8a41-14827f4cb798\",\r\n \"name\": \"1fa1528e-f746-4794-8a41-14827f4cb798\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 100;\\nPulseConnectSecure\\n| where TimeGenerated >= timeframe\\n| where Messages startswith \\\"Login failed\\\"\\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\\n| where dcount_User > threshold\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"PulseConnectSecure - Large Number of Distinct Failed User Logins\",\r\n \"description\": \"This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PulseConnectSecure\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\r\n \"name\": \"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to internet facing AWS RDS Database instances\",\r\n \"description\": \"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\r\n \"name\": \"9713e3c0-1410-468d-b79e-383448434b2d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n VMConnection\\n | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to VMConnection\",\r\n \"description\": \"Identifies a match in VMConnection from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\r\n \"name\": \"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet endpointData = \\n(SecurityEvent\\n | where TimeGenerated >= ago(timeframe) \\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n );\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where TimeGenerated >= ago(timeframe)\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Network endpoint to host executable correlation\",\r\n \"description\": \"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"TrendMicro\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\r\n \"name\": \"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet threshold = 3;\\nSigninLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count(), applicationCount = dcount(AppDisplayName), \\napplicationSet = makeset(AppDisplayName) by UserPrincipalName, IPAddress\\n| where applicationCount >= threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Attempts to sign in to disabled accounts\",\r\n \"description\": \"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\r\n \"name\": \"78422ef2-62bf-48ca-9bab-72c69818a425\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \\nby Account, IpAddress, AccountType, Activity, LogonTypeName\\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account, IpAddress\\n) on Account, IpAddress\\n| extend Ratio = ComputerCountToday/(ComputerCountPrev7Days*1.0)\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio > threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple RDP connections from Single System\",\r\n \"description\": \"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\r\n \"name\": \"40ba9493-4183-4eee-974f-87fe39c8f267\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Azure Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (AATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\r\n \"name\": \"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes made to AWS CloudTrail logs\",\r\n \"description\": \"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\r\n \"name\": \"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known CERIUM domains and hashes\",\r\n \"description\": \"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\r\n \"name\": \"65c78944-930b-4cae-bd79-c3664ae30ba7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n(union isfuzzy=true\\n(AuditLogs \\n| where TimeGenerated >= ago(timeframe) \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"MFA disabled for a user\",\r\n \"description\": \"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to diable MFA for a user \",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\r\n \"name\": \"fbfbf530-506b-49a4-81ad-4030885a195c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated > ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated > ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malicious web application requests linked with MDATP alerts\",\r\n \"description\": \"Takes MDATP alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-05-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftDefenderAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\r\n \"name\": \"2fc5d810-c9cc-491a-b564-841427ae0e50\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName)\\n //Normalizing the column to lower case for exact match with EmailRecipient column\\n | extend TargetUserName = tolower(TargetUserName)\\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\\n | extend SecurityEvent_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.TargetUserName\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SecurityEvent\",\r\n \"description\": \"Identifies a match in SecurityEvent table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\r\n \"name\": \"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeFrame = 1d;\\nlet logonDiff = 10m;\\nSigninLogs \\n| where TimeGenerated >= ago(timeFrame) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1])\\n| join kind= inner (\\n SigninLogs \\n | where TimeGenerated >= ago(timeFrame) \\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription \\n| extend timestamp = SuccessLogonTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SuccessIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Successful logon from IP and failure from a different IP\",\r\n \"description\": \"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\r\n \"name\": \"f845881e-2500-44dc-8ed7-b372af3e1e25\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeFrame = 1d;\\nlet short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n| where TimeGenerated >= ago(timeFrame)\\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount < c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous User Agent connection attempt\",\r\n \"description\": \"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\r\n \"name\": \"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n WireData | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to WireData\",\r\n \"description\": \"Identifies a match in WireData from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(WireData)\",\r\n \"dataTypes\": [\r\n \"WireData\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\r\n \"name\": \"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n W3CIISLog\\n | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nW3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to W3CIISLog\",\r\n \"description\": \"Identifies a match in W3CIISLog from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\r\n \"name\": \"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where TimeGenerated >= ago(3d)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA256=' SHA265 ',' * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known ZINC related maldoc hash\",\r\n \"description\": \"Document hash used by ZINC in highly targeted spear phishing campaign.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\r\n \"name\": \"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to OfficeActivity\",\r\n \"description\": \"Identifies a match in OfficeActivity from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\r\n \"name\": \"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"0.0.1\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.07\",\r\n \"name\": \"AnomalyScore\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Suspicious volume of logons to computer\",\r\n \"description\": \"This algorithm is to detect unusually high volume of successful logins per each workspace and computer. Successful logins are events with event id 4624.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\r\n \"name\": \"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let detectionTime = 30d;\\nlet User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where TimeGenerated > ago(detectionTime)\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != 'UserLoggedIn'\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts > 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\r\n \"queryFrequency\": \"P7D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Possible STRONTIUM attempted credential harvesting\",\r\n \"description\": \"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06107abb-1b68-4fdc-841b-8a1ff9301467\",\r\n \"name\": \"06107abb-1b68-4fdc-841b-8a1ff9301467\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"T1030\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.998\",\r\n \"name\": \"Receive_threshold\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n },\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.998\",\r\n \"name\": \"Send_threshold\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Palo Alto Networks - VPN data transfer anomaly\",\r\n \"description\": \"Data transfer anomaly over Palo Alto Globalprotect VPN session\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\r\n \"name\": \"957cb240-f45d-4491-9ba5-93430a3c08be\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\")\\nand not(UserId has_any ('NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)','devilfish-applicationaccount') and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare and potentially high-risk Office operations\",\r\n \"description\": \"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-13T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\r\n \"name\": \"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nCommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco ASA - threat detection message fired\",\r\n \"description\": \"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\r\n \"name\": \"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nlet OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend DisplayName = tostring(parse_json(modifiedProperties).displayName), GroupName = trim(@'\\\"',tostring(parse_json(modifiedProperties).newValue))\\n| extend AppId = tostring(parse_json(parse_json(InitiatedBy).app).appId), InitiatedByDisplayName = tostring(parse_json(parse_json(InitiatedBy).app).displayName), ServicePrincipalId = tostring(parse_json(parse_json(InitiatedBy).app).servicePrincipalId), ServicePrincipalName = tostring(parse_json(parse_json(InitiatedBy).app).servicePrincipalName)\\n| where DisplayName =~ \\\"Role.WellKnownObjectName\\\"\\n| where GroupName in~ (PrivilegedGroups)\\n// If you want to still alert for operations from PIM, remove below filtering for MS-PIM.\\n| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ServicePrincipalName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User added to Azure Active Directory Privileged Groups\",\r\n \"description\": \"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\r\n \"name\": \"dd0a6029-ecef-4507-89c4-fc355ac52111\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated > ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, '.')\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC's that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, '.')\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CSL_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CSL_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to CommonSecurityLog\",\r\n \"description\": \"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\r\n \"name\": \"157c0cfc-d76d-463b-8755-c781608cdc1a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nlet endtime = 1d;\\nCommonSecurityLog\\n| where TimeGenerated >= ago(endtime) \\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where SourceIPType == \\\"public\\\"\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n SigninLogs\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco - firewall block but success logon to Azure AD\",\r\n \"description\": \"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n }\r\n ]\r\n}",
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\r\n \"name\": \"738702fd-0a66-42c7-8586-e30f0583f8fe\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"FileHash\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Algorithm\",\r\n \"columnName\": \"FileHashType\"\r\n },\r\n {\r\n \"identifier\": \"Value\",\r\n \"columnName\": \"FileHashCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"TEARDROP memory-only dropper\",\r\n \"description\": \"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\r\n \"name\": \"69b7723c-2889-469f-8b55-a2d355ed9c87\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DnsEvents | where TimeGenerated >= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\n | mvexpand SingleIP\\n | extend SingleIP = tostring(SingleIP)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to DnsEvents\",\r\n \"description\": \"Identifies a match in DnsEvents from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\r\n \"name\": \"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Login to AWS Management Console without MFA\",\r\n \"description\": \"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\",\r\n \"PrivilegeEscalation\",\r\n \"Persistence\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884be6e7-e568-418e-9c12-89229865ffde\",\r\n \"name\": \"884be6e7-e568-418e-9c12-89229865ffde\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let FailureThreshold = 15;\\nlet FailedLogins = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where count_ > FailureThreshold\\n| project client_ipAddress_s, actor_alternateId_s;\\nOkta_CL\\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, published_t\\n| sort by published_t desc\\n| extend timestamp = published_t, IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed Logins from Unknown or Invalid User\",\r\n \"description\": \"This query searches for numerous login attempts to the management console with an unknown or invalid user name\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\r\n \"name\": \"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let lbtime = 1h;\\nlet tls_ciphers = dynamic(['RC4-SHA', 'DES-CBC3-SHA']);\\nProofpointPOD\\n| where EventType == 'message'\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Weak ciphers\",\r\n \"description\": \"Detects when weak TLS ciphers are used.\",\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_message_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\r\n \"name\": \"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"ZoomLogs \\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == 'false' or EnforceLoginDomain == 'false' or GuestAlerts == 'false' \\n| extend SettingChanged = case(EnforceLogin == 'false' and EnforceLoginDomain == 'false' and GuestAlerts == 'false', \\\"All settings changed\\\", \\n EnforceLogin == 'false' and EnforceLoginDomain == 'false', \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == 'false' and GuestAlerts == 'false', \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == 'false', \\\"Enfored Domains Changed\\\", \\n GuestAlerts == 'false', \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == 'false', \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"External User Access Enabled\",\r\n \"description\": \"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba239935-42c2-472d-80ba-689186099ea1\",\r\n \"name\": \"ba239935-42c2-472d-80ba-689186099ea1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Guessing\\\"\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid Password Guessing\",\r\n \"description\": \"Searches for bruteforce Password Guessing attacks\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\r\n \"name\": \"884c4957-70ea-4f57-80b9-1bca3890315b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"&\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"&\\\")[0]),tostring(split(csUriQuery, \\\"&\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount >= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of failed logons by a user\",\r\n \"description\": \"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\r\n \"name\": \"78979d32-e63f-4740-b206-cfb300c735e0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_IP_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(NetworkIP)\\n| summarize make_list(NetworkIP);\\nProofpointPOD \\n| where TimeGenerated > ago(timeframe)\\n| where isnotempty(SrcIpAddr)\\n| where SrcIpAddr in~ (TI_IP_List)\\n| extend Message = \\\"Email sender IP in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn, SrcIpAddr\\n| extend AccountCustomEntity = SrcUserUpn, IpCustomEntity = SrcIpAddr\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Email sender IP in TI list\",\r\n \"description\": \"Email sender IP in TI list.\",\r\n \"tactics\": [\r\n \"Exfiltration\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-13T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_maillog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\r\n \"name\": \"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName contains \\\"Azure Portal\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Brute force attack against Azure Portal\",\r\n \"description\": \"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\r\n \"name\": \"35a0792a-1269-431e-ac93-7ae2980d4dde\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_email_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(EmailSenderAddress)\\n| summarize make_list(EmailSenderAddress);\\nProofpointPOD \\n| where TimeGenerated > ago(timeframe)\\n| where isnotempty(SrcUserUpn)\\n| where SrcUserUpn in~ (TI_email_List)\\n| extend Message = \\\"Email sender in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Email sender in TI list\",\r\n \"description\": \"Email sender in TI list.\",\r\n \"tactics\": [\r\n \"Exfiltration\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-13T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_maillog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\r\n \"name\": \"62085097-d113-459f-9ea7-30216f2ee6af\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated >= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff('minute', Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min > 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P3D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n },\r\n {\r\n \"identifier\": \"Sid\",\r\n \"columnName\": \"TargetSid\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"AD user enabled and password not set within 48 hours\",\r\n \"description\": \"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\r\n \"name\": \"11b4c19d-2a79-4da3-af38-b067e1273dee\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend NamedPipe = EventDetail.[5].[\\\"#text\\\"]\\n| extend ProcessDetail = EventDetail.[6].[\\\"#text\\\"]\\n| where NamedPipe contains '583da945-62af-10e8-4902-a8f205c72b2e'\\n| extend Account = UserName\\n| project-away EventDetail, EvData\\n),\\n(\\n SecurityEvent\\n| where EventID == '5145'\\n| where AccessList has '%%4418' // presence of CreatePipeInstance value \\n| where RelativeTargetName contains '583da945-62af-10e8-4902-a8f205c72b2e'\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Solorigate Named Pipe\",\r\n \"description\": \"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\r\n \"name\": \"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nAzureActivity\\n| where OperationName in (operationList)\\n| where ActivityStatus == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationName, ActivityStatus, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Creation of expensive computes in Azure\",\r\n \"description\": \"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\r\n \"name\": \"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to OfficeActivity\",\r\n \"description\": \"Identifies a match in OfficeActivity from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\r\n \"name\": \"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to CommonSecurityLog\",\r\n \"description\": \"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\r\n \"name\": \"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"(union isfuzzy=true (SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == 'DS'\\n| where OperationType == 'Object Access'\\n//| where ObjectName contains '= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated >= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Audit policy manipulation using auditpol utility\",\r\n \"description\": \"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceProcessEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\r\n \"name\": \"80733eb7-35b2-45b6-b2b8-3c51df258206\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == '200'\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Squid proxy events related to mining pools\",\r\n \"description\": \"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\r\n \"name\": \"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted > TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"External user added and removed in short timeframe\",\r\n \"description\": \"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-13T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity (Teams)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\r\n \"name\": \"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ >= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High Number of Urgent Vulnerabilities Detected\",\r\n \"description\": \"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"QualysVulnerabilityManagement\",\r\n \"dataTypes\": [\r\n \"QualysHostDetection_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\r\n \"name\": \"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'inbound'\\n| where FilterDisposition !in ('reject', 'discard')\\n| extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']\\n| where attachedMimeType == 'application/zip'\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Binary file in attachment\",\r\n \"description\": \"Detects when email recieved with binary file as attachment.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-13T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_message_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b783df9c-4088-452e-a791-0c4fca47a109\",\r\n \"name\": \"b783df9c-4088-452e-a791-0c4fca47a109\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"T1568\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": [\r\n {\r\n \"prioritize\": null,\r\n \"exclude\": \".lan, .home\",\r\n \"dataType\": \"string\",\r\n \"name\": \"Top level domain\",\r\n \"description\": \"Give comma separated TLDs to exclude from source data within double quotes, example: \\\".lan, .home\\\"\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0.0\",\r\n \"maximum\": \"1.0\",\r\n \"value\": \"0.9\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Domain generation algorithm (DGA) on DNS domains\",\r\n \"description\": \"This machine learning model indicates potential DGA domains in the second-level-domain (SLD) from the last day in the DNS logs.\\nThe algorithm applies to the DNS records that resolve to IPv4 and IPv6 addresses.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\r\n \"name\": \"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SecurityEvent\\n| where EventID == 4688\\n| where Process =~ 'rundll32.exe' \\n| where CommandLine has_all ('Execute','RegRead','window.close')\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\r\n \"description\": \"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\r\n \"name\": \"48607a29-a26a-4abf-8078-a06dbdd174a4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = SigninLogs\\n| where TimeGenerated >= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// collect window threshold breaches\\nSigninLogs\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName\\n| where FailedPrincipalCount >= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\n SigninLogs\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend FullLocation = strcat(Location,'|', LocationDetails.state, '|', LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches\\n| join kind= inner (\\nSigninLogs // get data on success vs. failure history for each IP\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress\\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Password spray attack against Azure AD application\",\r\n \"description\": \"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\r\n \"name\": \"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount > threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)), \\ntostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType , CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 3,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare application consent\",\r\n \"description\": \"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"LateralMovement\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-04T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\r\n \"name\": \"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount > threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SSH - Potential Brute Force\",\r\n \"description\": \"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\r\n \"name\": \"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Active Directory Identity Protection\",\r\n \"displayName\": \"Create incidents based on Azure Active Directory Identity Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectoryIdentityProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (IPC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\r\n \"name\": \"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to Amazon VPC settings\",\r\n \"description\": \"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\r\n \"tactics\": [\r\n \"PrivilegeEscalation\",\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\r\n \"name\": \"5ef06767-b37c-4818-b035-47de950d0046\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dontnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime <= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential Build Process Compromise\",\r\n \"description\": \"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\r\n \"name\": \"ec21493c-2684-4acd-9bc2-696dbad72426\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated > ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, '.')\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC's that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n | where DeviceVendor =~ 'Palo Alto Networks'\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, '.')\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CSL_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CSL_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to PaloAlto\",\r\n \"description\": \"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\r\n \"name\": \"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic(['vip1@email.com','vip2@email.com']);\\nLAQueryLogs\\n| where QueryText has_any (vips)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Users searching for VIP user activity\",\r\n \"description\": \"This query monitors for users running Log Analytics queries that contain filters \\nfor specific, defined VIP user accounts. Use this detection to alert for users specifically \\nsearching for activity of sensitive users.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\r\n \"name\": \"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.1\",\r\n \"techniques\": [\r\n \"T1030\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.87\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Excessive upload via Palo Alto GlobalProtect\",\r\n \"description\": \"This algorithm detects unusually high volume of upload per user account via Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of upload in the last day.\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\r\n \"name\": \"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n Syslog\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to Syslog\",\r\n \"description\": \"Identifies a match in Syslog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a9956d3a-07a9-44a6-a279-081a85020cae\",\r\n \"name\": \"a9956d3a-07a9-44a6-a279-081a85020cae\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 15;\\nlet rejectedAccess = SymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\\n| where Total > threshold\\n| project ClientIP;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| join kind=inner rejectedAccess() on ClientIP\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ClientDeniedAccess\",\r\n \"description\": \"Creates an incident in the event a Client has an excessive amounts of denied access requests.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecVIP\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\r\n \"name\": \"f2dd4a3a-ebac-4994-9499-1a859938c947\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, 'linefit')\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated > ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB > bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank < 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated > ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB > bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank < 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Time series anomaly for data size transferred to public internet\",\r\n \"description\": \"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\r\n \"name\": \"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n WireData | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to WireData\",\r\n \"description\": \"Identifies a match in WireData from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(WireData)\",\r\n \"dataTypes\": [\r\n \"WireData\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\r\n \"name\": \"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Sensitive Azure Key Vault operations\",\r\n \"description\": \"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\r\n \"name\": \"04384937-e927-4595-8f3c-89ff58ed231f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != 'UserLoggedIn'\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts > 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\r\n \"queryFrequency\": \"P7D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\r\n \"description\": \"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/427e4c9e-8cf4-4094-a684-a2d060dbca38\",\r\n \"name\": \"427e4c9e-8cf4-4094-a684-a2d060dbca38\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 50;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\"\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\\n| where dcount_Dst_Port > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Port Scan Detected\",\r\n \"description\": \"This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SophosXGFirewall\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\r\n \"name\": \"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let cmdTokens0 = dynamic(['vbscript','jscript']);\\nlet cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);\\nlet cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']);\\nSecurityEvent\\n| where TimeGenerated >= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @'\\\\Microsoft\\\\Windows\\\\CurrentVersion'\\n| where not(CommandLine has_any (@'\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run', @'\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce'))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"NOBELIUM - Script payload stored in Registry\",\r\n \"description\": \"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\r\n \"name\": \"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated > ago(2*timeframe) \\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !hassuffix \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated > ago(timeframe) \\n // A user account was disabled \\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime < spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) >= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P2D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n },\r\n {\r\n \"identifier\": \"Sid\",\r\n \"columnName\": \"SIDofAccountUsedToEnable\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account enabled and disabled within 10 mins\",\r\n \"description\": \"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\r\n \"name\": \"707494a5-8e44-486b-90f8-155d1797a8eb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated >= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated >= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent > TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P2D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Credential added after admin consented to Application\",\r\n \"description\": \"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\r\n \"name\": \"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes made to AWS CloudTrail logs\",\r\n \"description\": \"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\r\n \"name\": \"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Azure Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"First access credential added to Application or Service Principal where no credential was present\",\r\n \"description\": \"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\r\n \"name\": \"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = 'FileUploaded';\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic(['exe', 'inf', 'gzip', 'cmd', 'bat']);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated >= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount > threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])\\n| extend UserIdUserFolderFormat = tolower(replace('@|\\\\\\\\.', '_',UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New executable via Office FileUploaded Operation\",\r\n \"description\": \"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes 'exe', 'inf', 'gzip', 'cmd', 'bat' file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\r\n \"name\": \"d804b39c-03a4-417c-a949-bdbf21fa3305\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\");\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\");\\nlet ips = (iocs | where Type =~ \\\"ip\\\");\\nlet domains = (iocs | where Type =~ \\\"domainname\\\");\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * 'SHA256=' SHA256 ',' *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(VMConnection\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp)\\n| where SourceIp in (ips) or DestinationIp in (ips)\\n| extend IPMatch = case( SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nDeviceNetworkEvents\\n| where (RemoteIPType =~ \\\"Public\\\" and RemoteUrl has_any (domains)) or (isnotempty(RemoteIP) and RemoteIP in (ips))\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\nDnsEvents\\n| where SubType =~ \\\"LookupQuery\\\"\\n| where Name has_any (domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\\n)\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\r\n \"description\": \"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-04-01T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(WireData)\",\r\n \"dataTypes\": [\r\n \"WireData\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CheckPoint\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (CheckPoint)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Cisco)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"F5\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (F5)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Fortinet)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (PaloAlto)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"WindowsFirewall\",\r\n \"dataTypes\": [\r\n \"WindowsFirewall\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\r\n \"name\": \"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"// Adjust this to use a longer timeframe to identify ADFS servers\\nlet lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\nlet timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n| where TimeGenerated > ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, '\\\\\\\\', -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName\\n| where EventID in (17,18)\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, '\\\\\\\\', -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ADFS Key Export (Sysmon)\",\r\n \"description\": \"This detection uses Sysmon telemetry to detect potential ADFS certificate material export. \\nIn order to use this query you need to be collecting Sysmon EventIdD 17 and 18.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\r\n \"name\": \"5f0d80db-3415-4265-9d52-8466b7372e3a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps - PAT used with Browser.\",\r\n \"description\": \"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access for use in code or applications. Given this they can be prone to attacker theft if not adequately secured. This queries looks for the use of a PAT in authentication but from a User Agent indicating a browser. This should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\r\n \"name\": \"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SigninLogs | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend Region = tostring(LocationDetails[\\\"countryOrRegion\\\"]), State = tostring(LocationDetails[\\\"state\\\"]), City = tostring(LocationDetails[\\\"city\\\"])\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SigninLogs\",\r\n \"description\": \"Identifies a match in SigninLogs table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\r\n \"name\": \"75bf9902-0789-47c1-a5d8-f57046aa72df\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]);\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware in the recycle bin\",\r\n \"description\": \"Identifies malware that has been hidden in the recycle bin.\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2018-09-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\r\n \"name\": \"23005e87-2d3a-482b-b03d-edbebd1ae151\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated > ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated > ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"HAFNIUM Suspicious Exchange Request\",\r\n \"description\": \"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-02T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0558155e-4556-447e-9a22-828f2a7de06b\",\r\n \"name\": \"0558155e-4556-447e-9a22-828f2a7de06b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"ProofPointTAPMessagesDelivered_CL\\n| mv-expand todynamic(threatsInfoMap_s)\\n| mv-expand todynamic(messageParts_s)\\n| extend threatType = tostring(threatsInfoMap_s.threatType), classification = tostring(threatsInfoMap_s.classification)\\n| extend filename = tostring(messageParts_s.filename)\\n| where threatType =~ \\\"attachment\\\" and classification =~ \\\"malware\\\"\\n| summarize filenames = make_set(filename), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, threatType, classification, Subject = subject_s\\n| extend timestamp = StartTime, AccountCustomEntity = Recipient, IPCustomEntity = SenderIPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware attachment delivered\",\r\n \"description\": \"This query identifies a message containing a malware attachment that was delivered.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointTAP\",\r\n \"dataTypes\": [\r\n \"ProofPointTAPMessagesDelivered_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\r\n \"name\": \"3ff0fffb-d963-40c0-b235-3404f915add7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"GitHub Two Factor Auth Disable\",\r\n \"description\": \"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\r\n \"name\": \"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let servicelist = dynamic(['Services\\\\\\\\HealthService', 'Services\\\\\\\\Sense', 'Services\\\\\\\\WinDefend', 'Services\\\\\\\\MsSecFlt', 'Services\\\\\\\\DiagTrack', 'Services\\\\\\\\SgrmBroker', 'Services\\\\\\\\SgrmAgent', 'Services\\\\\\\\AATPSensorUpdater' , 'Services\\\\\\\\AATPSensor', 'Services\\\\\\\\mpssvc']);\\nlet filename = dynamic([\\\"subinacl.exe\\\",'SetACL.exe']);\\nlet parameters = dynamic (['/deny=SYSTEM', '/deny=S-1-5-18', '/grant=SYSTEM=r', '/grant=S-1-5-18=r', 'n:SYSTEM;p:READ', 'n1:SYSTEM;ta:remtrst;w:dacl']);\\nlet FullAccess = dynamic(['A;CI;KA;;;SY', 'A;ID;KA;;;SY', 'A;CIID;KA;;;SY']);\\nlet ReadAccess = dynamic(['A;CI;KR;;;SY', 'A;ID;KR;;;SY', 'A;CIID;KR;;;SY']);\\nlet DenyAccess = dynamic(['D;CI;KR;;;SY', 'D;ID;KR;;;SY', 'D;CIID;KR;;;SY']);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == 'Key'\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * 'OldSd\\\">' OldSd \\\"<\\\" *\\n| parse EventData with * 'NewSd\\\">' NewSd \\\"<\\\" *\\n| extend Reason = case( (OldSd has ';;;SY' and NewSd !has ';;;SY'), 'System Account is removed', (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , 'System permission has been changed to read from full access', (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), 'System account has been given denied permission', 'None')\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated >= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Security Service Registry ACL Modification\",\r\n \"description\": \"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceProcessEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\r\n \"name\": \"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\r\n \"queryFrequency\": \"PT15M\",\r\n \"queryPeriod\": \"PT15M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"UrlCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Crypto Miner User-Agent Detected\",\r\n \"description\": \"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\r\n \"name\": \"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\r\n \"queryFrequency\": \"P3D\",\r\n \"queryPeriod\": \"P3D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"DeletingUser\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"DeletingIP\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps Pipeline Created and Deleted on the Same Day\",\r\n \"description\": \"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\r\n \"name\": \"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n W3CIISLog\\n | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nW3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to W3CIISLog\",\r\n \"description\": \"Identifies a match in W3CIISLog from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\r\n \"name\": \"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\\nlet GroupCreated = SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n },\r\n {\r\n \"identifier\": \"Sid\",\r\n \"columnName\": \"GroupCreateSubjectUserSid\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Group created then added to built in domain local or global group\",\r\n \"description\": \"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\r\n \"name\": \"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.1\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.7\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Suspicious volume of logins to user account with elevated token\",\r\n \"description\": \"This algorithm detects an unusually high volume of successful logins with elevated token per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-09T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\r\n \"name\": \"5436f471-b03d-41cb-b333-65891f887c43\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"query\": \"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"GitHub Security Vulnerability in Repository\",\r\n \"description\": \"This alerts when there is a new security vulnerability in a GitHub repository.\",\r\n \"lastUpdatedDateUTC\": \"2021-01-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\r\n \"name\": \"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * '(' DNSName ')' * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"DNS\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"DomainName\",\r\n \"columnName\": \"DNSName\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Solorigate Network Beacon\",\r\n \"description\": \"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceNetworkEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\r\n \"name\": \"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org']);\\nlet IPList = dynamic(['185.225.69.69']);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (DomainNames) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"DNS\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"DomainName\",\r\n \"columnName\": \"DNSName\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"NOBELIUM - Domain and IP IOCs - March 2021\",\r\n \"description\": \"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceNetworkEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\r\n \"name\": \"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"Unknown\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": [\r\n {\r\n \"supportedValues\": [\r\n \"Fraction of failed signins\",\r\n \"Number of failed signins\",\r\n \"Failed signins to successful signins ratio\",\r\n \"Number of signins with incorrect passwords\",\r\n \"Incorrect passwords to correct passwords ratio\",\r\n \"Fraction of incorrect password signins\",\r\n \"Distinct number of app ids\",\r\n \"Distinct number of client apps\",\r\n \"Distinct number of ip addresses\",\r\n \"Distinct number of opperating systems\",\r\n \"Distinct number of browsers\",\r\n \"Distinct number of cities\",\r\n \"Distinct number of states\",\r\n \"Distinct number of countries\"\r\n ],\r\n \"values\": [\r\n \"Fraction of failed signins\",\r\n \"Number of failed signins\",\r\n \"Failed signins to successful signins ratio\",\r\n \"Number of signins with incorrect passwords\",\r\n \"Incorrect passwords to correct passwords ratio\",\r\n \"Fraction of incorrect password signins\",\r\n \"Distinct number of app ids\",\r\n \"Distinct number of client apps\",\r\n \"Distinct number of ip addresses\",\r\n \"Distinct number of opperating systems\",\r\n \"Distinct number of browsers\",\r\n \"Distinct number of cities\",\r\n \"Distinct number of states\",\r\n \"Distinct number of countries\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Top reason for high anomaly score\",\r\n \"description\": \"Include only anomalies where the top reason is one of these values.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0.0\",\r\n \"maximum\": \"1.0\",\r\n \"value\": \"0.5\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Anomalous Azure AD sign-in sessions\",\r\n \"description\": \"The machine learning model groups the Azure AD sign-in logs on a per-user basis.\\nThe model is trained on the previous 6 days of user sign-in behavior.\\nIt indicates anomalous user sign-in sessions in the last day.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user sign-in sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\r\n \"name\": \"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to OfficeActivity\",\r\n \"description\": \"Identifies a match in OfficeActivity table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\r\n \"name\": \"1218175f-c534-421c-8070-5dcaabf28067\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount > threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious link sharing pattern\",\r\n \"description\": \"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/154fde9f-ae00-4422-a8da-ef00b11da3fc\",\r\n \"name\": \"154fde9f-ae00-4422-a8da-ef00b11da3fc\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 0\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid Indicators of Exposures\",\r\n \"description\": \"Searches for triggered Indicators of Exposures\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\r\n \"name\": \"f948a32f-226c-4116-bddd-d95e91d97eb9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious application consent similar to O365 Attack Toolkit\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-03T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\r\n \"name\": \"45b903c5-6f56-4969-af10-ae62ac709718\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare RDP Connections\",\r\n \"description\": \"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-01-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\r\n \"name\": \"327cd4ed-ca42-454b-887c-54e1c91363c6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Microsoft Defender Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Microsoft Defender Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Microsoft Defender Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-10-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftDefenderAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (MDATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4915c713-ab38-432e-800b-8e2d46933de6\",\r\n \"name\": \"4915c713-ab38-432e-800b-8e2d46933de6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.'; \\nlet avgthreshold = 0;\\nlet probabilityLimit = 0.01;\\nlet ssh_logins = Syslog\\n| where Facility contains \\\"auth\\\" and ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage) \\n| where isnotempty(SourceIP)\\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\");\\nssh_logins \\n| summarize privatecount=countif(ipType==\\\"private\\\"), publiccount=countif(ipType==\\\"public\\\") by HostName, HostIP, bin(EventTime, 1d)\\n| summarize \\npublicIPLoginHistory = make_list(pack('IPCount', publiccount, 'logon_time', EventTime)),\\nprivateIPLoginHistory = make_list(pack('IPCount', privatecount, 'logon_time', EventTime)) by HostName, HostIP\\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\\n(\\n order by todatetime(publicIPLoginHistory['logon_time']) asc\\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory['IPCount'])), publicAverage=avg(toint(publicIPLoginHistory['IPCount'])), publicStd=stdev(toint(publicIPLoginHistory['IPCount'])), maxPublicLoginCount=max(toint(publicIPLoginHistory['IPCount']))\\n)\\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\\n(\\n order by todatetime(privateIPLoginHistory['logon_time']) asc\\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory['IPCount'])), privateAverage=avg(toint(privateIPLoginHistory['IPCount'])), privateStd=stdev(toint(privateIPLoginHistory['IPCount']))\\n)\\n// Some logins from private IPs\\n| where privateAverage > avgthreshold\\n// There is a non-zero number of logins from public IPs\\n| where publicAverage > avgthreshold\\n// Approximate probability of seeing login from a public IP is < 1%\\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\\n| where probabilityPublic < probabilityLimit\\n// Today has the highest number of logins from public IPs that we've seen in the last week\\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\\n| where publicLoginCountToday >= maxPublicLoginCount\\n| extend HostCustomEntity = HostName\\n// Optionally retrieve the original raw data for those logins that we've identified as potentially suspect\\n// | join kind=rightsemi (\\n// ssh_logins\\n// | where ipType == \\\"public\\\"\\n// ) on HostName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New internet-exposed SSH endpoints\",\r\n \"description\": \"Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\r\n \"name\": \"f041e01d-840d-43da-95c8-4188f6cef546\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor \\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"GitHub Activites from a New Country\",\r\n \"description\": \"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\r\n \"name\": \"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ 'false' and NewE2ESetting =~ 'true'\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Zoom E2E Encryption Disabled\",\r\n \"description\": \"This alerts when end to end encryption is disabled for Zoom meetings.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\r\n \"name\": \"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n DnsEvents\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to DnsEvent\",\r\n \"description\": \"Identifies a match in DnsEvent table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8266f81-2715-41a6-9062-42486cbc9c73\",\r\n \"name\": \"b8266f81-2715-41a6-9062-42486cbc9c73\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 200;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n| where isnotempty(ResponseCode)\\n| where ResponseCode =~ \\\"NXDOMAIN\\\"\\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\\n| where count_ > threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n | where isnotempty(ResponseCode)\\n | where ResponseCode =~ \\\"NXDOMAIN\\\"\\n ) on Client_IP\\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive NXDOMAIN DNS Queries\",\r\n \"description\": \"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"InfobloxNIOS\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\r\n \"name\": \"25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCShadow\\\"\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid DCShadow\",\r\n \"description\": \"Searches for DCShadow attacks\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\r\n \"name\": \"12dcea64-bec2-41c9-9df2-9f28461b1295\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union ( \\n SecurityEvent\\n | where TimeGenerated > ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\r\n \"description\": \"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\r\n \"name\": \"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (ago(starttime)..ago(endtime))\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds > TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents > TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent > PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Palo Alto - potential beaconing detected\",\r\n \"description\": \"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\r\n \"name\": \"2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"eset_CL\\n| where event_type_s == \\\"Threat_Event\\\"\\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\",\r\n \"queryFrequency\": \"PT5M\",\r\n \"queryPeriod\": \"PT5M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Threats detected by Eset\",\r\n \"description\": \"Escalates threats detected by Eset.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"CredentialAccess\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-09T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"EsetSMC\",\r\n \"dataTypes\": [\r\n \"eset_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\r\n \"name\": \"a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-NATIVE-ADM-GROUP-MEMBERS\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-PROTECTED-USERS-GROUP-UNUSED\\\", \\\"C-ADMINCOUNT-ACCOUNT-PROPS\\\", \\\"C-ADM-ACC-USAGE\\\", \\\"C-LAPS-UNSECURE-CONFIG\\\", \\\"C-DISABLED-ACCOUNTS-PRIV-GROUPS\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid privileged accounts issues\",\r\n \"description\": \"Searches for triggered Indicators of Exposures related to privileged accounts issues\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-07T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\r\n \"name\": \"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center\",\r\n \"displayName\": \"Create incidents based on Azure Security Center alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Security Center\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (ASC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\r\n \"name\": \"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n Syslog\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to Syslog data\",\r\n \"description\": \"Identifies a match in Syslog data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\r\n \"name\": \"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"HAFNIUM Suspicious UM Service Error\",\r\n \"description\": \"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-10T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\r\n \"name\": \"26a3b261-b997-4374-94ea-6c37f67f4f39\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA1=' SHA1 ',' * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known GALLIUM domains and hashes\",\r\n \"description\": \"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-26T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3acf5617-7c41-4085-9a79-cc3a425ba83a\",\r\n \"name\": \"3acf5617-7c41-4085-9a79-cc3a425ba83a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"afad_parser\\n| where MessageType == 2 and Codename == \\\"OS Credential Dumping: LSASS Memory\\\"\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid LSASS Memory\",\r\n \"description\": \"Searches for OS Credentials dumping attacks\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\r\n \"name\": \"2560515c-07d1-434e-87fb-ebe3af267760\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Mail.Read Permissions Granted to Application\",\r\n \"description\": \"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\r\n \"name\": \"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, '|', 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\r\n \"description\": \"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\r\n \"name\": \"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let endpointData = \\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n );\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Network endpoint to host executable correlation\",\r\n \"description\": \"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"TrendMicro\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\r\n \"name\": \"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let szOperationNames = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationName, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated > ago(endtime)\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatus = makeset(ActivityStatus), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious Resource deployment\",\r\n \"description\": \"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\r\n \"name\": \"fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-ACCOUNTS-DANG-SID-HISTORY\\\", \\\"C-PRE-WIN2000-ACCESS-MEMBERS\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-SLEEPING-ACCOUNTS\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-PASSWORD-NOT-REQUIRED\\\", \\\"C-USER-PASSWORD\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid user accounts issues\",\r\n \"description\": \"Searches for triggered Indicators of Exposures related to user accounts issues\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-07T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\r\n \"name\": \"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated >= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated >= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Email access via active sync\",\r\n \"description\": \"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn't yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\r\n \"tactics\": [\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceProcessEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29094df8-e0c7-4475-a74c-bda74a07affb\",\r\n \"name\": \"29094df8-e0c7-4475-a74c-bda74a07affb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.1\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.03\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Suspicious volume of logins to user account by logon types\",\r\n \"description\": \"This algorithm detects an unusually high volume of successful logins per user account by different logon types. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-09T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\r\n \"name\": \"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n| join (\\nSecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n },\r\n {\r\n \"identifier\": \"Sid\",\r\n \"columnName\": \"CreatedUserSid\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New user created and added to the built-in administrators group\",\r\n \"description\": \"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/200f05a2-db6e-4ff7-be83-bbc30b44755f\",\r\n \"name\": \"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.2.2\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.07\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Suspicious volume of logins to user account\",\r\n \"description\": \"This algorithm detects an unusually high volume of successful logins per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\r\n \"name\": \"dd0a6029-ecef-4507-89c4-fc355ac52111\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated > ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, '.')\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC's that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, '.')\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CSL_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CSL_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to CommonSecurityLog\",\r\n \"description\": \"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\r\n \"name\": \"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated > ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount > threshold;\\nOfficeActivity \\n| where TimeGenerated > ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SharePointFileOperation via devices with previously unseen user agents\",\r\n \"description\": \"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-01T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\r\n \"name\": \"84cf1d59-f620-4fee-b569-68daf7008b7b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s >= threshold\\n| extend timestamp = StartTime\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"New High Severity Vulnerability Detected Across Multiple Hosts\",\r\n \"description\": \"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"QualysVulnerabilityManagement\",\r\n \"dataTypes\": [\r\n \"QualysHostDetection_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\r\n \"name\": \"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known IRIDIUM IP\",\r\n \"description\": \"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-03T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\r\n \"name\": \"157c0cfc-d76d-463b-8755-c781608cdc1a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where SourceIPType == \\\"public\\\"\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n SigninLogs\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco - firewall block but success logon to Azure AD\",\r\n \"description\": \"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\r\n \"name\": \"a04cf847-a832-4c60-b687-b0b6147da219\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Manganese IP and UserAgent activity\",\r\n \"description\": \"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\r\n \"name\": \"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let logonDiff = 10m;\\nSigninLogs \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1])\\n| join kind= inner (\\n SigninLogs \\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription \\n| extend timestamp = SuccessLogonTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SuccessIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Successful logon from IP and failure from a different IP\",\r\n \"description\": \"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\r\n \"name\": \"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Squid proxy events for ToR proxies\",\r\n \"description\": \"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\r\n \"name\": \"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated > ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated > ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount > 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal > percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Exchange workflow MailItemsAccessed operation anomaly\",\r\n \"description\": \"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\r\n \"name\": \"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to internet facing AWS RDS Database instances\",\r\n \"description\": \"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\r\n \"name\": \"09551db0-e147-4a0c-9e7b-918f88847605\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']);\\nlet SHA256Hash = dynamic(['58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495','e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e','3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9', '0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4', '96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe','dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c', '46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a', '95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008', '9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5', '9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3', 'ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720', 'edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee', '33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998', '3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c', 'b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c', '53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5', '99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777', 'f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef', '2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da', '079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447']);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(DnsEvents\\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend DataType = \\\"DnsEvents\\\", IPAddress = ClientIP\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * 'SHA256=' SHA256 ',' * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known ZINC Comebacker and Klackring malware hashes\",\r\n \"description\": \"ZINC attacks against security researcher campaign malware hashes.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-03T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceProcessEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceFileEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceNetworkEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\r\n \"name\": \"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n| where isnotempty(FileHashValue)\\n| join (\\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map File Hash to Security Event\",\r\n \"description\": \"Identifies a match in Security Event data from any File Hash IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\r\n \"name\": \"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nlet authfail = Syslog\\n| where Facility =~ \\\"authpriv\\\" // looks at authpriv messages\\n| where SyslogMessage contains \\\"authentication failure\\\" and SyslogMessage contains \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" ExternalIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \\n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\nlet userfail = Syslog \\n| where Facility =~ \\\"authpriv\\\" \\n| where SyslogMessage contains \\\"user unknown\\\"\\n| project TimeGenerated, Computer, HostIP, ProcessID;\\n// Join the two log messages above\\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\\n// Extract the EventTime of the first logon attempt\\nlet firstfail = userauthfail\\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\\n// Extract the EventTime of the last logon attempt\\nlet lastfail = userauthfail\\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\\n// Count the number of failed logon attempts by External IP and internal machine\\nlet totalfails = userauthfail\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\\n// Combine total attempts with timing data from above\\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\\n| order by DestinationHost asc nulls last;\\nfinalfails \\n| where TotalLogonAttempts >= threshold\\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed logon attempts in authpriv\",\r\n \"description\": \"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\r\n \"name\": \"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SigninLogs\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = IPAddress\\n| extend URLCustomEntity = ClientAppUsed\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Explicit MFA Deny\",\r\n \"description\": \"User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-26T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\r\n \"name\": \"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != 'UserLoggedIn'\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts > 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\r\n \"queryFrequency\": \"P7D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\r\n \"description\": \"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\r\n \"name\": \"de58ee9e-b229-4252-8537-41a4c2f4045e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'proxylogs'\\n| where DvcAction =~ 'Allowed'\\n| extend file_ext = extract(@'.*(\\\\.\\\\w+)$', 1, UrlOriginal)\\n| extend Filename = extract(@'.*\\\\/*\\\\/(.*\\\\.\\\\w+)$', 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Request to blocklisted file type\",\r\n \"description\": \"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\r\n \"name\": \"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": [\r\n {\r\n \"prioritize\": null,\r\n \"exclude\": \".txt,.jpg,.mp4\",\r\n \"dataType\": \"string\",\r\n \"name\": \"File extension\",\r\n \"description\": \"Give comma separated file extension to exclude from source data within double quotes, example: \\\".txt,.jpg,.mp4\\\"\",\r\n \"sequenceNumber\": 2,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"5\",\r\n \"maximum\": \"100\",\r\n \"value\": \"10\",\r\n \"name\": \"Minimum number of downgrades\",\r\n \"description\": \"Generate an anomaly when number of downgrade label is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Unusual mass downgrade AIP label\",\r\n \"description\": \"This algorithm detects unusual high volume of downgrade label activity in Azure Information Protection (AIP) logs.\\nIt considers \\\"AIP\\\" workload records for a given number of days and determines the sequence of activity performed on documents along with the label applied to classify unusual volume of downgrade activity.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-18T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-18T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureInformationProtection\",\r\n \"dataTypes\": [\r\n \"InformationProtectionLogs_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\r\n \"name\": \"53e936c6-6c30-4d12-8343-b8a0456e8429\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SUNSPOT malware hashes\",\r\n \"description\": \"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceImageLoadEvents\",\r\n \"DeviceEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\r\n \"name\": \"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ADO Build Variable Modified by New User.\",\r\n \"description\": \"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users just detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed modifying them before.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\r\n \"name\": \"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet suspicious_signins =\\nSigninLogs\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress != \\\"127.0.0.1\\\"\\n| summarize count() by IPAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons =\\nSecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AzureAD logons but success logon to host\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\r\n \"name\": \"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": [\r\n {\r\n \"prioritize\": null,\r\n \"exclude\": \".msg,.jpg,.txt\",\r\n \"dataType\": \"string\",\r\n \"name\": \"File extension\",\r\n \"description\": \"Give comma separated file extension to exclude from source data, for example: .txt,.jpg,.mp4\",\r\n \"sequenceNumber\": 2,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.9\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when the error percentile is greater than chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Suspicious number of protected documents accessed\",\r\n \"description\": \"This algorithm is to detect high volume of access to protected documents in Azure Information Protection (AIP) logs. \\nIt considers AIP workload records for a given number of days and determines whether the user performed unusual access to protected documents in a day given his/her historical behavior.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureInformationProtection\",\r\n \"dataTypes\": [\r\n \"InformationProtectionLogs_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\r\n \"name\": \"4a3073ac-7383-48a9-90a8-eb6716183a54\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"FileHash\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Algorithm\",\r\n \"columnName\": \"MD5\"\r\n },\r\n {\r\n \"identifier\": \"Value\",\r\n \"columnName\": \"FileHashCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SUNBURST suspicious SolarWinds child processes\",\r\n \"description\": \"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceProcessEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\r\n \"name\": \"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityEvent\\n| where EventID == 4738\\n// 2089 value indicates the Don't Expire Password value has been set\\n| where UserAccountControl has \\\"%%2089\\\" \\n| extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"'Don't Expire Password' - Enabled\\\", \\\"Not Changed\\\")\\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n| extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"'Password Not Required' - Disabled\\\", \\\"Not Changed\\\")\\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n| extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"'Password Not Required' - Enabled\\\", \\\"Not Changed\\\")\\n| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n },\r\n {\r\n \"identifier\": \"Sid\",\r\n \"columnName\": \"TargetSid\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"AD account with Don't Expire Password\",\r\n \"description\": \"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don't Expire Password - Enabled\\\".\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\r\n \"name\": \"2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 8;\\nCarbonBlackNotifications_CL\\n| where threatHunterInfo_score_d >= threshold\\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\\n| project-away count_\\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Critical Threat Detected\",\r\n \"description\": \"This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"VMwareCarbonBlack\",\r\n \"dataTypes\": [\r\n \"CarbonBlackNotifications_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\r\n \"name\": \"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'outbound'\\n| where NetworkBytes > msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ > msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\r\n \"queryFrequency\": \"PT30M\",\r\n \"queryPeriod\": \"PT30M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Multiple large emails to the same recipient\",\r\n \"description\": \"Detects when multiple emails with lage size where sent to the same recipient.\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-13T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_message_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\r\n \"name\": \"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Starting or Stopping HealthService to Avoid Detection\",\r\n \"description\": \"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-18T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\r\n \"name\": \"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount > triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated > ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) > dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri's and/or >=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ > 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated > ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"DNS\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"DomainName\",\r\n \"columnName\": \"Name\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Possible contact with a domain generated by a DGA\",\r\n \"description\": \"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Barracuda\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CheckPoint\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"F5\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\r\n \"name\": \"78422ef2-62bf-48ca-9bab-72c69818a425\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \\nby Account, IpAddress, AccountType, Activity, LogonTypeName\\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account, IpAddress\\n) on Account, IpAddress\\n| extend Ratio = ComputerCountToday/(ComputerCountPrev7Days*1.0)\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio > threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple RDP connections from Single System\",\r\n \"description\": \"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\r\n \"name\": \"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityAlert | where TimeGenerated >= ago(dt_lookBack)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend SecurityAlert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityAlert_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = SecurityAlert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SecurityAlert\",\r\n \"description\": \"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\r\n \"name\": \"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'outbound'\\n| extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']\\n| where attachedMimeType == 'application/zip'\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ > msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\r\n \"queryFrequency\": \"PT30M\",\r\n \"queryPeriod\": \"PT30M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Multiple archived attachments to the same recipient\",\r\n \"description\": \"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-13T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_message_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\r\n \"name\": \"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n |union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map File Hash to CommonSecurityLog Event\",\r\n \"description\": \"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00282588-11e7-436d-90e8-011256c3c691\",\r\n \"name\": \"00282588-11e7-436d-90e8-011256c3c691\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == 'medium' or modelSeverity_s == 'low'\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Create Incident for XDR Alerts (Medium & Low)\",\r\n \"description\": \"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Azure Sentinel usage. (Medium & Low Serverity Alerts)\",\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"TrendMicroXDR\",\r\n \"dataTypes\": [\r\n \"TrendMicro_XDR_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\r\n \"name\": \"46ac55ae-47b8-414a-8f94-89ccd1962178\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let mode = 'Blocked'; \\nlet successCode = dynamic(['200', '101','204', '400','504','304','401','500']);\\nlet minTime = ago(1d);\\nlet maxSessionWindow = 1h;\\nlet sessionBin = maxSessionWindow/2.0;\\nAzureDiagnostics\\n| where TimeGenerated > minTime\\n| where Category == 'ApplicationGatewayFirewallLog'\\n| where action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by hostname_s, clientIp_s, SessionStarted\\n| extend duration = maxTime - minTime\\n| extend TimeKey = bin(SessionStarted, sessionBin)\\n| join kind = inner(\\nAzureDiagnostics\\n| where TimeGenerated > minTime\\n| where Category == 'ApplicationGatewayAccessLog'\\n| where httpStatus_d in (successCode) or isempty(httpStatus_d)\\n| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey\\n| where (TimeGenerated - SessionStarted) between (0m .. duration)\\n| extend originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\")\\n| extend serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s\\n| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), \\nSuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount\\n| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| where SessionBlockedCount > SuccessfulAccessLogCount\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"A potentially malicious web request was executed against a web server\",\r\n \"description\": \"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-20T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\r\n \"name\": \"4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let scriptExtensions = dynamic([\\\".php\\\", \\\".aspx\\\", \\\".asp\\\", \\\".cfml\\\"]);\\n//The number of URI's seen to be suspicious, higher = less likely to be suspicious\\nlet uriThreshold = 1;\\nCommonSecurityLog\\n// Only look at connections that were allowed through the web proxy\\n| where DeviceVendor =~ \\\"Zscaler\\\" and DeviceAction =~ \\\"Allowed\\\"\\n// Only look where some data was exchanged.\\n| where SentBytes > 0 and ReceivedBytes > 0\\n// Extract the Domain\\n| extend Domain = iff(countof(DestinationHostName,'.') >= 2, strcat(split(DestinationHostName,'.')[-2], '.',split(DestinationHostName,'.')[-1]), DestinationHostName)\\n| extend GetData=iff(RequestURL == \\\"?\\\", 1, 0)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\\n// Determine the number of URIs that have been visited for the domain\\n| extend destinationURI = arraylength(list_RequestURL)\\n| where destinationURI <= uriThreshold\\n| where tostring(list_RequestURL) has_any(scriptExtensions)\\n//Remove matches with referer\\n| where max_RequestContext == \\\"\\\"\\n//Keep requests where data was trasferred either in a GET with parameters or a POST\\n| where set_RequestMethod in~ (\\\"POST\\\") or max_GetData == 1\\n//Defeat email click tracking, may increase FN's while decreasing FP's\\n| where list_RequestURL !has \\\"click\\\" and set_RequestMethod !has \\\"GET\\\"\\n| mvexpand list_RequestURL, list_DestinationIP\\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\\n//Extend custom entitites for incidents\\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Request for single resource on domain\",\r\n \"description\": \"This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL's delivered in emails. Developed for Zscaler but applicable to any outbound web logging.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\r\n \"name\": \"155f40c6-610d-497d-85fc-3cf06ec13256\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DestinationIPAddress in (IPList) or DNSName in~ (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPCustomEntity = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Phosphorus group domains/IP\",\r\n \"description\": \"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-03T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8675dd7a-795e-4d56-a79c-fc848c5ee61c\",\r\n \"name\": \"8675dd7a-795e-4d56-a79c-fc848c5ee61c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"ProofPointTAPClicksPermitted_CL\\n| where classification_s =~ \\\"malware\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s\\n| extend timestamp = StartTime, AccountCustomEntity = Recipient, IPCustomEntity = SenderIPAddress, URLCustomEntity = URLClicked\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware Link Clicked\",\r\n \"description\": \"This query identifies a user clicking on an email link whose threat category is classified as a malware\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointTAP\",\r\n \"dataTypes\": [\r\n \"ProofPointTAPClicksPermitted_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\r\n \"name\": \"fbfbf530-506b-49a4-81ad-4030885a195c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated > ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated > ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\r\n \"description\": \"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-05-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftDefenderAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\r\n \"name\": \"0bd65651-1404-438b-8f63-eecddcec87b4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nEvent\\n| where TimeGenerated > ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, '\\\\\\\\', -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n| union isfuzzy=true (\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has 'wmiprvse.exe'\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any ('rundll32') \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Gain Code Execution on ADFS Server via Remote WMI Execution\",\r\n \"description\": \"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\r\n \"name\": \"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^']*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"HAFNIUM Suspicious File Downloads.\",\r\n \"description\": \"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-10T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\r\n \"name\": \"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Exchange AuditLog disabled\",\r\n \"description\": \"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\r\n \"name\": \"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\nSecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * '\\\"MemberName\\\">' AccountAdded \\\",OU\\\" * \\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\\nlet AC_Remove = \\nSecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * '\\\"MemberName\\\">' AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff ('second', AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed > 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Account added and removed from privileged groups\",\r\n \"description\": \"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' \",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\r\n \"name\": \"472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-CLEARTEXT-PASSWORD\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-USER-REVER-PWDS\\\", \\\"C-PASSWORD-POLICY\\\", \\\"C-USER-PASSWORD\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-AAD-SSO-PASSWORD\\\", \\\"C-REVER-PWD-GPO\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid Password issues\",\r\n \"description\": \"Searches for triggered Indicators of Exposures related to password issues\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-07T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\r\n \"name\": \"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookback = 14d;\\nlet timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"HAFNIUM New UM Service Child Process\",\r\n \"description\": \"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-02T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\r\n \"name\": \"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookBack_long = 14d;\\nlet lookBack_med = 7d;\\nlet lookBack = 1d;\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack_long))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope > 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack_med))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n| top 50 by Slope desc\\n| where Slope > 0.3\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n| where Slope > 5\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous sign-in location by user account and authenticating application\",\r\n \"description\": \"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 7-day and 14-day periods.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\r\n \"name\": \"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco ASA - average attack detection rate increase\",\r\n \"description\": \"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\r\n \"name\": \"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" \\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords '}'*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords '}'*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords '}'*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\\\\\')[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malicious Inbox Rule\",\r\n \"description\": \"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\r\n \"name\": \"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"AzureActivity\\n| extend message = tostring(parse_json(Properties).message)\\n| extend AppId = tostring(parse_json(Claims).appid)\\n| where AppId contains \\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\"\\n| where OperationName =~ \\\"Microsoft.Portal/consoles/write\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New CloudShell User\",\r\n \"description\": \"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\r\n \"name\": \"cf3ede88-a429-493b-9108-3e46d3c741f7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated > ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess >= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SecurityEvent - Multiple authentication failures followed by a success\",\r\n \"description\": \"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7a58b253-0ef2-4248-b4e5-c350f15a8346\",\r\n \"name\": \"7a58b253-0ef2-4248-b4e5-c350f15a8346\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let threshold = 100;\\nSymantecProxySG \\n| where sc_filter_result =~ \\\"DENIED\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\\n| where count_ > threshold\\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Denied Proxy Traffic\",\r\n \"description\": \"This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecProxySG\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\r\n \"name\": \"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 3;\\nSigninLogs\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count(), applicationCount = dcount(AppDisplayName), \\napplicationSet = makeset(AppDisplayName) by UserPrincipalName, IPAddress\\n| where applicationCount >= threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Attempts to sign in to disabled accounts\",\r\n \"description\": \"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\r\n \"name\": \"32555639-b639-4c2b-afda-c0ae0abefa55\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Monitor AWS Credential abuse or hijacking\",\r\n \"description\": \"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\r\n \"name\": \"910124df-913c-47e3-a7cd-29e1643fa55e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ > signin_threshold\\n| summarize make_list(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AWS Console logons but success logon to AzureAD\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\r\n \"name\": \"fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SymantecProxySG\\n| mv-expand cs_categories\\n| where cs_categories has_any (\\\"Suspicious\\\",\\\"phishing\\\", \\\"hacking\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User Accessed Suspicious URL Categories\",\r\n \"description\": \"Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecProxySG\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\r\n \"name\": \"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let s_threshold = 30;\\nlet l_threshold = 3;\\nSigninLogs\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser \\n| extend LocationString= strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated),LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount > s_threshold and LocationCount >= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Distributed Password cracking attempts in AzureAD\",\r\n \"description\": \"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\r\n \"name\": \"ef88eb96-861c-43a0-ab16-f3835a97c928\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\\\$Volume){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nlet decodedPS = ProcessCreationEvents\\n| where CommandLine contains \\\" -encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, ' ')[0]), CommandLine\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate('\\\\0','', base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\\n(decodedPS\\n| union \\n(ProcessCreationEvents\\n| where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\")\\n| where CommandLine !contains \\\"-encodedcommand\\\")\\n| extend StartTimeUtc = TimeGenerated\\n)\\n| where CommandLine matches regex regexEmpire\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Powershell Empire cmdlets seen in command line\",\r\n \"description\": \"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\r\n \"name\": \"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated > ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld > threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld > threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P10D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential DGA detected\",\r\n \"description\": \"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\r\n \"name\": \"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key =tostring(['@Name']), Value = ['#text']\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\r\n \"description\": \"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-18T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-18T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\r\n \"name\": \"5efb0cfd-063d-417a-803b-562eae5b0301\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated >= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName ' (Organization)'\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount > ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_build?definitionId=', DefId),\\nstrcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', DefId))\\n| where CurrentCount >= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps Service Conection Addition/Abuse - Historic Allowlist\",\r\n \"description\": \"This detection builds a allowlist of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use in non manually allowlisted, non historically allowlisted Build/Release runs.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\r\n \"name\": \"4ca74dc0-8352-4ac5-893c-73571cc78331\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps - Variable Secret Not Secured\",\r\n \"description\": \"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as secrets. This detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-18T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\r\n \"name\": \"2b701288-b428-4fb8-805e-e4372c574786\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60min; \\n//Get Teams successful signins globally\\nlet signinData =\\n SigninLogs\\n | where AppDisplayName has \\\"Teams\\\"\\n | where ConditionalAccessStatus =~ \\\"success\\\"\\n | extend country = tostring(LocationDetails['countryOrRegion'])\\n | where isnotempty(country) and isnotempty(IPAddress);\\n// Collect successful signins to teams\\nlet loginEvents = \\n signinData\\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n//Calcualte delta between logins\\nlet loginDelta =\\n loginEvents\\n | summarize max(count_), min(count_) by UserPrincipalName\\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\\n | where delta >= deltaThreshold;\\n//Count number of countries used to sign in\\nlet countryCount =\\n loginEvents\\n | summarize Countries = dcount(country) by UserPrincipalName;\\n//Join delta and sign in counts to successful logins\\nloginDelta\\n| join kind=rightouter (\\n loginEvents\\n) on UserPrincipalName\\n| join kind=rightouter (\\n countryCount\\n) on UserPrincipalName\\n//Check where the record meets the minimum required countries\\n| where Countries >= minimumCountries\\n| join kind=leftouter (\\n signinData\\n | summarize count() by country\\n | join (\\n //Now get the total number of logins from any country and join it to the previous count in a single table\\n signinData\\n | summarize count() by country\\n | summarize sum(count_), make_list(country)\\n | mv-expand list_country\\n | extend country = tostring(list_country)\\n ) on country\\n | summarize by country, count_, sum_count_\\n //Now calculate each countries prevalence within login events\\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\\n | project-away sum_count_\\n | order by prevalence\\n) on country\\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\\n| where prevalence < countryPrevalenceThreshold\\n| where min_count_ == count_\\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\\n| extend EventTimes = list_TimeGenerated\\n| extend SuspiciousIP = IPAddress\\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\\n//Teams join to collect operations the user account has performed within the given time range\\n| join kind=inner( \\n OfficeActivity\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\\n) on $left.UserPrincipalName == $right.UserId\\n| mv-expand StartTime = EventTimes\\n| extend StartTime = make_datetime(StartTime)\\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\\n//Limit to operations carried out by the user account in the timeframe the IP was active\\n| where OperationTime between (StartTime .. ProjectedEndTime)\\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n//Filter on suspicious actions\\n| extend activitySummary = pack(tostring(StartTime), pack(\\\"Operation\\\",tostring(Operation), \\\"OperationTime\\\", OperationTime))\\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous login followed by Teams action\",\r\n \"description\": \"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\r\n \"name\": \"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'proxylogs'\\n| where DvcAction =~ 'Allowed'\\n| where UrlCategory has_any ('Dynamic and Residential', 'Personal VPN')\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Connection to non-corporate private network\",\r\n \"description\": \"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-29T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\r\n \"name\": \"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"UrlCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Connection to Unpopular Website Detected\",\r\n \"description\": \"Detects first connection to an unpopular website (possible malicious payload delivery).\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c775a46b-21b1-46d7-afa6-37e3e577a27b\",\r\n \"name\": \"c775a46b-21b1-46d7-afa6-37e3e577a27b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 15;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\\n| where Total > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Failed Authentication from Invalid Inputs\",\r\n \"description\": \"Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecVIP\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a602940-4153-4045-a741-3bf15591ae29\",\r\n \"name\": \"8a602940-4153-4045-a741-3bf15591ae29\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.2.2\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.4\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Attempted computer bruteforce\",\r\n \"description\": \"This algorithm detects an unusually high volume of failed login attempts to each computer. The model is trained on the previous 21 days of security event ID 4625 on a computer. It indicates anomalous high volume of failed login attempts in the last day.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\r\n \"name\": \"106813db-679e-4382-a51b-1bfc463befc3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CSL_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CSL_TimeGenerated, PA_Url, DeviceName\\n| extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to PaloAlto data\",\r\n \"description\": \"Identifies a match in PaloAlto data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\r\n \"name\": \"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod; \\nlet GitHubFailedSSOLogins = (SigninLogs \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime) \\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime)\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime > LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Brute Force Attack against GitHub Account\",\r\n \"description\": \"Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-20T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\r\n \"name\": \"f71aba3d-28fb-450b-b192-4e76a83015c8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Fusion\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"displayName\": \"Advanced Multistage Attack Detection\",\r\n \"description\": \"Using Fusion technology based on machine learning, Azure Sentinel automatically detects multistage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nThere are a total of 90 Fusion incident types detected by Azure Sentinel.\\n\\nTo detect these multistage attacks, the following data connectors must be configured:\\n- Azure Active Directory Identity Protection.\\n- Microsoft Cloud App Security.\\n- Microsoft Defender for Endpoint.\\n- Azure Defender.\\n- Palo Alto Networks.\\n\\nFor a full list and description of each scenario that is supported for these multistage attacks, go to https://aka.ms/SentinelFusion.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"CommandAndControl\",\r\n \"DefenseEvasion\",\r\n \"Discovery\",\r\n \"Execution\",\r\n \"Exfiltration\",\r\n \"Impact\",\r\n \"InitialAccess\",\r\n \"LateralMovement\",\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-09T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\r\n \"name\": \"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 10m;\\nlet disallowed_ext = dynamic(['ps1', 'exe', 'vbs', 'js', 'scr']);\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'inbound'\\n| where FilterDisposition !in ('reject', 'discard')\\n| extend attachedExt = todynamic(MsgParts)[0]['detectedExt']\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Suspicious attachment\",\r\n \"description\": \"Detects when email contains suspicious attachment (file type).\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-13T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_message_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\r\n \"name\": \"643c2025-9604-47c5-833f-7b4b9378a1f5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet Suspicious_signins = \\nSigninLogs\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress != \\\"127.0.0.1\\\"\\n| summarize count() by IPAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AzureAD logons but success logon to AWS Console\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\r\n \"name\": \"2fc5d810-c9cc-491a-b564-841427ae0e50\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend TargetUserName = tolower(TargetUserName)\\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\\n | extend SecurityEvent_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SecurityEvent\",\r\n \"description\": \"Identifies a match in SecurityEvent table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\r\n \"name\": \"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MLBehaviorAnalytics\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Anomalous SSH Login Detection\",\r\n \"description\": \"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Azure Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Azure Sentinel workspace’s geography as necessary for processing by the machine learning engine.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-26T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\r\n \"name\": \"8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 14d;\\nlet time_generated_bucket = 1h;\\nlet min_urgency = 9;\\nlet maxTimeGeneratedBucket = toscalar(\\n CyberpionActionItems_CL\\n | where TimeGenerated > ago(timeframe)\\n | summarize max(bin(TimeGenerated, time_generated_bucket))\\n );\\nCyberpionActionItems_CL\\n | where TimeGenerated > ago(timeframe) and is_open_b == true\\n | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket\\n | where urgency_d >= min_urgency\\n | extend timestamp = opening_datetime_t\\n | extend DNSCustomEntity = host_s\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"DNS\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"DomainName\",\r\n \"columnName\": \"DNSCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High Urgency Cyberpion Action Items\",\r\n \"description\": \"This query creates an alert for active Cyberpion Action Items with high urgency (9-10).\\n Urgency can be altered using the \\\"min_urgency\\\" variable in the query.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-26T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CyberpionSecurityLogs\",\r\n \"dataTypes\": [\r\n \"CyberpionActionItems_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\r\n \"name\": \"40ba9493-4183-4eee-974f-87fe39c8f267\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Azure Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (AATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\r\n \"name\": \"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.2.2\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.1\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Attempted user account bruteforce\",\r\n \"description\": \"This algorithm detects an unusually high volume of failed login attempts per user account. The model is trained on the previous 21 days of security event ID 4625 on an account. It indicates anomalous high volume of failed login attempts in the last day.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\r\n \"name\": \"d3980830-dd9d-40a5-911f-76b44dfdce16\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SigninLogs\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName\\n| where CountOfLocations > 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"GitHub Signin Burst from Multiple Locations\",\r\n \"description\": \"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\r\n \"name\": \"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"FileHash\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Algorithm\",\r\n \"columnName\": \"MD5\"\r\n },\r\n {\r\n \"identifier\": \"Value\",\r\n \"columnName\": \"FileHashCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SUNBURST and SUPERNOVA backdoor hashes\",\r\n \"description\": \"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-31T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceFileEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\r\n \"name\": \"ba144bf8-75b8-406f-9420-ed74397f9479\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet suspicious_signins = \\n SigninLogs\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress != \\\"127.0.0.1\\\"\\n | summarize count() by IPAddress\\n | where count_ > signin_threshold\\n | summarize make_list(IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\\\"User name: ([^,]+)\\\", 1, Message) \\n | extend ClientOS = extract(\\\"Client OS version: ([^,\\\\\\\"]+)\\\", 1, Message)\\n | extend Location = extract(\\\"Source region: ([^,]{2})\\\",1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\r\n \"description\": \"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-09-04T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f86885f-f31f-4e66-a39d-352771ee789e\",\r\n \"name\": \"9f86885f-f31f-4e66-a39d-352771ee789e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"CarbonBlackEvents_CL\\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\\n| where targetApp_effectiveReputation_s =~ \\\"KNOWN_MALWARE\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Malware Detected\",\r\n \"description\": \"This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"VMwareCarbonBlack\",\r\n \"dataTypes\": [\r\n \"CarbonBlackEvents_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\r\n \"name\": \"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.2.2\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.07\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Suspicious volume of logins to computer\",\r\n \"description\": \"This algorithm detects an unusually high volume of successful logins per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins in the last day\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\r\n \"name\": \"957cb240-f45d-4491-9ba5-93430a3c08be\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\")\\nand not(UserId has_any ('NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)','devilfish-applicationaccount') and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare and potentially high-risk Office operations\",\r\n \"description\": \"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-13T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\r\n \"name\": \"44a555d8-ecee-4a25-95ce-055879b4b14b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount >= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of connections by client IP on many ports\",\r\n \"description\": \"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\r\n \"name\": \"ab4b6944-a20d-42ab-8b63-238426525801\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated >= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated >= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated >= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"HostName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"DNS\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"DomainName\",\r\n \"columnName\": \"DNSName\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Process\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"ProcessId\",\r\n \"columnName\": \"FirstPid\"\r\n },\r\n {\r\n \"identifier\": \"CommandLine\",\r\n \"columnName\": \"CommandLine\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"File\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Directory\",\r\n \"columnName\": \"DirectoryName\"\r\n },\r\n {\r\n \"identifier\": \"Name\",\r\n \"columnName\": \"Filename\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Solorigate Domains Found in VM Insights\",\r\n \"description\": \"Identifies connections to Solorigate-related DNS records based on VM insights data\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMProcess\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMComputer\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\r\n \"name\": \"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Office policy tampering\",\r\n \"description\": \"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\r\n \"name\": \"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to AWS Elastic Load Balancer security groups\",\r\n \"description\": \"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\r\n \"name\": \"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"THALLIUM domains included in DCU takedown\",\r\n \"description\": \"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-26T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-01-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\r\n \"name\": \"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"W3CIISLog\\n| where csMethod == 'GET'\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SUPERNOVA webshell\",\r\n \"description\": \"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\r\n \"name\": \"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode('base64')\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Process executed from binary hidden in Base64 encoded file\",\r\n \"description\": \"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\r\n \"name\": \"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n AuditLogs\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nAudit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to AuditLogs\",\r\n \"description\": \"Identifies a match in AuditLogs from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\r\n \"name\": \"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dontnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated > ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated > ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime <= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential Build Process Compromise - MDE\",\r\n \"description\": \"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceProcessEvents\",\r\n \"DeviceFileEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\r\n \"name\": \"4b93c5af-d20b-4236-b696-a28b8c51407f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated > ago(2*timeframe) \\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated > ago(timeframe) \\n // A user account was deleted \\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime < spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) >= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P2D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n },\r\n {\r\n \"identifier\": \"Sid\",\r\n \"columnName\": \"SIDofAccountUsedToCreate\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account created and deleted within 10 mins\",\r\n \"description\": \"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\r\n \"name\": \"23de46ea-c425-4a77-b456-511ae4855d69\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic(\\n[\\\"List keys\\\", \\\"List Storage Account Keys\\\", \\\"Register Subscription\\\", \\\"Create or Update Snapshot\\\", \\\"Create or Update Network Security Group\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationName in~ (SensitiveOperationList)\\n| where ActivityStatus =~ \\\"Succeeded\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ >= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated >= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationName\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare subscription-level operations in Azure\",\r\n \"description\": \"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\r\n \"name\": \"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'inbound'\\n| where FilterDisposition !in ('reject', 'discard')\\n| where FilterModulesSpamScoresOverall == '100'\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - High risk message not discarded\",\r\n \"description\": \"Detects when email with high risk score was not rejected or discarded by filters.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_message_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/16d55bbb-8c54-4c1d-8537-521824e76bb6\",\r\n \"name\": \"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"Unknown\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": [\r\n {\r\n \"supportedValues\": [\r\n \"Distinct number of operations\",\r\n \"Distinct number of ClientInfoString\",\r\n \"Distinct number of mailboxes\",\r\n \"Number of operations\",\r\n \"Distinct number of IP addresses\",\r\n \"Distinct number of /24 subnets\",\r\n \"Distinct number of /16 subnets\",\r\n \"Number of MessageBind operations\",\r\n \"Number of FolderBind operations\",\r\n \"Number of UpdateInboxRules operations\",\r\n \"Number of MailItemsAccessed operations\"\r\n ],\r\n \"values\": [\r\n \"Distinct number of operations\",\r\n \"Distinct number of ClientInfoString\",\r\n \"Distinct number of mailboxes\",\r\n \"Number of operations\",\r\n \"Distinct number of IP addresses\",\r\n \"Distinct number of /24 subnets\",\r\n \"Distinct number of /16 subnets\",\r\n \"Number of MessageBind operations\",\r\n \"Number of FolderBind operations\",\r\n \"Number of UpdateInboxRules operations\",\r\n \"Number of MailItemsAccessed operations\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Top reason for high anomaly score\",\r\n \"description\": \"Include only anomalies where the top reason is one of these values.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0.0\",\r\n \"maximum\": \"1.0\",\r\n \"value\": \"0.6\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Anomalous user activities in Office Exchange\",\r\n \"description\": \"This machine learning model groups the Office Exchange logs on a per-user basis into hourly buckets. We define one\\nhour as a session. The model is trained on the previous 7 days of behavior across all regular (non-admin) users.\\nIt indicates anomalous user Office Exchange sessions in the last day.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user Office Exchange sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-04T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity (Exchange)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\r\n \"name\": \"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ >= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Several deny actions registered\",\r\n \"description\": \"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"LateralMovement\",\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57e56fc9-417a-4f41-a579-5475aea7b8ce\",\r\n \"name\": \"57e56fc9-417a-4f41-a579-5475aea7b8ce\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 1000;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\\n| where count_ > threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n ) on ServerIP\\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential DHCP Starvation Attack\",\r\n \"description\": \"This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"InfobloxNIOS\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\r\n \"name\": \"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"ThreatIntelligence\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Microsoft Threat Intelligence Analytics\",\r\n \"description\": \"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity and are turned ON by default. \\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-15T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\r\n \"name\": \"e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let FailureThreshold = 15;\\nlet FailedEvents = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where dcount_actor_alternateId_s > FailureThreshold\\n| project client_ipAddress_s, TimeGenerated;\\nOkta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\\n| sort by TimeGenerated desc\\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential Password Spray Attack\",\r\n \"description\": \"This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\r\n \"name\": \"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in ('0x2','0x100', '0x10', '0x4')),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"InitiatingProcessAccountUpn\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"DeviceName\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"HAFNIUM UM Service writing suspicious file\",\r\n \"description\": \"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-08T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceFileEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3c658bd-8da9-4372-82e4-aaffa922f428\",\r\n \"name\": \"d3c658bd-8da9-4372-82e4-aaffa922f428\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCSync\\\"\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid DCSync\",\r\n \"description\": \"Searches for DCSync attacks\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\r\n \"name\": \"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent =\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * 'TicketEncryptionType\\\">' TicketEncryptionType \\\"<\\\" *\\n| where TicketEncryptionType == '0x17'\\n| parse EventData with * 'TicketOptions\\\">' TicketOptions \\\"<\\\" *\\n| where TicketOptions == '0x40810000'\\n| parse EventData with * 'Status\\\">' Status \\\"<\\\" *\\n| where Status == '0x0'\\n| parse EventData with * 'ServiceName\\\">' ServiceName \\\"<\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * 'TargetUserName\\\">' TargetUserName \\\"<\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * 'IpAddress\\\">::ffff:' ClientIPAddress \\\"<\\\" *;\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h < prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated >= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h > prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential Kerberoasting\",\r\n \"description\": \"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\r\n \"name\": \"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure Key Vault access TimeSeries anomaly\",\r\n \"description\": \"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\r\n \"name\": \"500415fb-bba7-4227-a08a-9857fb61b6a7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| extend p = parse_json(Parameters)\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\n \\\"Unknown\\\"\\n ) \\n| mvexpand p\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\n| extend RedirectTo = p.Value\\n| extend ClientIPOnly = case( \\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"-\\\")[0]), \\n ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\n ClientIP\\n ) \\n| extend Port = case(\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP,\\\":\\\")[1]),\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP,\\\"-\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"]-\\\")[1]),\\n ClientIP\\n )\\n| extend ClientIP = ClientIPOnly\\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Mail redirect via ExO transport rule\",\r\n \"description\": \"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-05-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\r\n \"name\": \"f845881e-2500-44dc-8ed7-b372af3e1e25\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount < c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous User Agent connection attempt\",\r\n \"description\": \"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\r\n \"name\": \"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, Category, OperationName,\\nOperationNameValue, ActivityStatus, ResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to AzureActivity\",\r\n \"description\": \"Identifies a match in AzureActivity table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\r\n \"name\": \"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 0\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps - Retention Reduced to Zero\",\r\n \"description\": \"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs to 0.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\r\n \"name\": \"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace('\\\"','',newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = initByApp.servicePrincipalId,\\nServicePrincipalName = initByApp.servicePrincipalName,\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = initByUser.userPrincipalName\\n//| where GroupName in~ (PrivilegedGroups)\\n// If you want to still alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User added to Azure Active Directory Privileged Groups\",\r\n \"description\": \"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-25T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\r\n \"name\": \"500c103a-0319-4d56-8e99-3cec8d860757\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SigninLogs \\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = makeset(UserPrincipalName), \\napplicationSet = makeset(AppDisplayName) by IPAddress\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n SigninLogs\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = makeset(UserPrincipalName, 15) by IPAddress\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount < 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where successfulAccountSigninCount != 0\\n| project StartTimeUtc, EndTimeUtc, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\r\n \"description\": \"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\r\n \"name\": \"9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Spraying\\\"\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid Password Spraying\",\r\n \"description\": \"Searches for Password spraying attacks\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\r\n \"name\": \"8d537f3c-094f-430c-a588-8a87da36ee3a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 15m;\\nlet user_agents=dynamic([\\n '(hydra)',\\n ' arachni/',\\n ' BFAC ',\\n ' brutus ',\\n ' cgichk ',\\n 'core-project/1.0',\\n ' crimscanner/',\\n 'datacha0s',\\n 'dirbuster',\\n 'domino hunter',\\n 'dotdotpwn',\\n 'FHScan Core',\\n 'floodgate',\\n 'get-minimal',\\n 'gootkit auto-rooter scanner',\\n 'grendel-scan',\\n ' inspath ',\\n 'internet ninja',\\n 'jaascois',\\n ' zmeu ',\\n 'masscan',\\n ' metis ',\\n 'morfeus fucking scanner',\\n 'n-stealth',\\n 'nsauditor',\\n 'pmafind',\\n 'security scan',\\n 'springenwerk',\\n 'teh forest lobster',\\n 'toata dragostea',\\n ' vega/',\\n 'voideye',\\n 'webshag',\\n 'webvulnscan',\\n ' whcc/',\\n ' Havij',\\n 'absinthe',\\n 'bsqlbf',\\n 'mysqloit',\\n 'pangolin',\\n 'sql power injector',\\n 'sqlmap',\\n 'sqlninja',\\n 'uil2pn',\\n 'ruler',\\n 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\r\n \"queryFrequency\": \"PT15M\",\r\n \"queryPeriod\": \"PT15M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"UrlCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Hack Tool User-Agent Detected\",\r\n \"description\": \"Detects suspicious user agent strings used by known hack tools\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\r\n \"name\": \"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\r\n \"queryFrequency\": \"PT15M\",\r\n \"queryPeriod\": \"PT15M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"UrlCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\r\n \"description\": \"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34663177-8abf-4db1-b0a4-5683ab273f44\",\r\n \"name\": \"34663177-8abf-4db1-b0a4-5683ab273f44\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let threshold = 20;\\nPulseConnectSecure\\n| where Messages contains \\\"Login failed\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\\n| where count_ > threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"PulseConnectSecure - Potential Brute Force Attempts\",\r\n \"description\": \"This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PulseConnectSecure\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\r\n \"name\": \"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated > ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name > threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name > threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare client observed with high reverse DNS lookup count\",\r\n \"description\": \"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\r\n \"name\": \"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let EventCountThreshold = 25;\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ > EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Mass secret retrieval from Azure Key Vault\",\r\n \"description\": \"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\r\n \"name\": \"39198934-62a0-4781-8416-a81265c03fd6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious application consent similar to PwnAuth\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-03T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\r\n \"name\": \"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AddingUser\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New PA, PCA, or PCAS added to Azure DevOps\",\r\n \"description\": \"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. This detection looks for users being granted key administrative permissions. If the principal of least privilege is applied the number of users granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these should also be conducted.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-18T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\r\n \"name\": \"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff('minute', Alert1Time, Alert2Time)) <=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\r\n \"description\": \"When a user has both an Unfamiliar sign-in properties alert and an Atypical travel alert within 20 minutes, the alert should be handled with a higher severity\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectoryIdentityProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (IPC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\r\n \"name\": \"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA256=' SHA265 ',' * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known ZINC related maldoc hash\",\r\n \"description\": \"Document hash used by ZINC in highly targeted spear phishing campaign.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\r\n \"name\": \"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated > ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated > ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P7D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps Agent Pool Created Then Deleted\",\r\n \"description\": \"As well as adding build agents to an existing pool to execute malicious activity within a pipeline an attacker could create a complete new agent pool and use this for execution. Azure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this detection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), as an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\r\n \"name\": \"2b328487-162d-4034-b472-59f1d53684a1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal == ''\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\r\n \"queryFrequency\": \"PT15M\",\r\n \"queryPeriod\": \"PT15M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"UrlCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Empty User Agent Detected\",\r\n \"description\": \"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\r\n \"name\": \"3533f74c-9207-4047-96e2-0eb9383be587\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious application consent for offline access\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-09T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\r\n \"name\": \"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known CERIUM domains and hashes\",\r\n \"description\": \"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-26T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\r\n \"name\": \"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n SecurityAlert\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nAlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to SecurityAlert data\",\r\n \"description\": \"Identifies a match in SecurityAlert data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06107abb-1b68-4fdc-841b-8a1ff9301467\",\r\n \"name\": \"06107abb-1b68-4fdc-841b-8a1ff9301467\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.1\",\r\n \"techniques\": [\r\n \"T1030\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.87\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Excessive Downloads via Palo Alto GlobalProtect\",\r\n \"description\": \"This algorithm detects unusually high volume of download per user account via Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of downloads in the last day.\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\r\n \"name\": \"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n SecurityAlert\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\", 1, tolower(Entities))\\n | where isnotempty(domain)\\n | extend parts = split(domain, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column extract hostname and IP address\\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\\n | extend HostName = iif(EntityType == 'host', EntityHostName, '')\\n | extend IP_addr = iif(EntityType == 'ip', EntityAddress, '')\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to SecurityAlert\",\r\n \"description\": \"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\r\n \"name\": \"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"CommonSecurityLog \\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where AdditionalExtensions !has \\\"reason=aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where AdditionalExtensions !has \\\"reason=tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ >= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Palo Alto - possible internal to external port scanning\",\r\n \"description\": \"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\r\n \"name\": \"69a45b05-71f5-45ca-8944-2e038747fb39\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n) on Account\\n// Make sure that the first connection is after the second connection --> SecondHop > FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --> FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --> FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop > FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop <= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount >= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"RDP Nesting\",\r\n \"description\": \"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \\nto another system with the same account within the 60 minutes. Additionally, if historically daily \\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\r\n \"name\": \"84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"eset_CL\\n| where event_type_s == 'FilteredWebsites_Event'\\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\",\r\n \"queryFrequency\": \"PT5M\",\r\n \"queryPeriod\": \"PT5M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Web sites blocked by Eset\",\r\n \"description\": \"Create alert on web sites blocked by Eset.\",\r\n \"tactics\": [\r\n \"Exfiltration\",\r\n \"CommandAndControl\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-09T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"EsetSMC\",\r\n \"dataTypes\": [\r\n \"eset_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\r\n \"name\": \"223db5c1-1bf8-47d8-8806-bed401b356a4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet azPortalSignins = materialize(SigninLogs\\n| where TimeGenerated >= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated >= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated >= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName, Id\\n| where TimeGenerated > TimeGenerated1\\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated >= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend FullLocation = strcat(Location,'|', LocationDetails.state, '|', LocationDetails.city)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation\\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed login attempts to Azure Portal\",\r\n \"description\": \"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\r\n \"name\": \"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains 'auth' and ProcessName != 'sudo'\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ > signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nSigninLogs\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed host logons but success logon to AzureAD\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\r\n \"name\": \"d564ff12-8f53-41b8-8649-44f76b37b99f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName ' (Organization)'\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount > ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_build?definitionId=', DefId),\\n strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', DefId))\\n| extend timestamp = StartTime\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Azure DevOps Service Conection Abuse\",\r\n \"description\": \"Flags builds/releases that use a large number of service connections if they aren't manually allowlisted.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\r\n \"name\": \"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\")\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SUNSPOT log file creation\",\r\n \"description\": \"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceFileEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\r\n \"name\": \"f110287e-1358-490d-8147-ed804b328514\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AWSCloudTrail | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AWSCloudTrail\",\r\n \"description\": \"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2954d424-f786-4677-9ffc-c24c44c6e7d5\",\r\n \"name\": \"2954d424-f786-4677-9ffc-c24c44c6e7d5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = ago(3h);\\nlet threshold = 2;\\nOkta_CL\\n| where published_t >= timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"\\n| where outcome_result_s =~ \\\"SUCCESS\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\\n| where NumOfCountries >= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\",\r\n \"queryFrequency\": \"PT3H\",\r\n \"queryPeriod\": \"PT3H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User Login from Different Countries within 3 hours\",\r\n \"description\": \"This query searches for successful user logins to the Okta Console from different countries within 3 hours\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\r\n \"name\": \"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"External Upstream Source Added to Azure DevOps Feed\",\r\n \"description\": \"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. An attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\r\n \"name\": \"f2eb15bd-8a88-4b24-9281-e133edfba315\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n SigninLogs | where TimeGenerated >= ago(dt_lookBack)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend Region = tostring(LocationDetails[\\\"countryOrRegion\\\"]), State = tostring(LocationDetails[\\\"state\\\"]), City = tostring(LocationDetails[\\\"city\\\"])\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to SigninLogs\",\r\n \"description\": \"Identifies a match in SigninLogs from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\r\n \"name\": \"074ce265-f684-41cd-af07-613c5f3e6d0d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\\n(DnsEvents \\n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| extend IPAddress = RemoteIp, Host = Computer),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost)\\n)\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known STRONTIUM group domains - July 2019\",\r\n \"description\": \"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\r\n \"name\": \"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Microsoft Cloud App Security\",\r\n \"displayName\": \"Create incidents based on Microsoft Cloud App Security alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Microsoft Cloud App Security\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (MCAS)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\r\n \"name\": \"173f8699-6af5-484a-8b06-8c47ba89b380\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) > max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple Teams deleted by a single user\",\r\n \"description\": \"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Azure Sentinel.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-13T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity (Teams)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\r\n \"name\": \"a35f2c18-1b97-458f-ad26-e033af18eb99\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nSecurityEvent \\n// When MemberName contains '-' this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = tostring(split(tostring(split(MemberName, \\\",\\\")[0]),\\\"CN=\\\")[1])\\n| project StartTimeUtc = TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account added to built in domain local or global group\",\r\n \"description\": \"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\r\n \"name\": \"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to AWS Security Group ingress and egress settings\",\r\n \"description\": \"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\r\n \"name\": \"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MLBehaviorAnalytics\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Anomalous RDP Login Detections\",\r\n \"description\": \"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Azure Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Azure Sentinel workspace’s geography as necessary for processing by the machine learning engine.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-26T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\r\n \"name\": \"9713e3c0-1410-468d-b79e-383448434b2d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n VMConnection\\n | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to VMConnection\",\r\n \"description\": \"Identifies a match in VMConnection from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\r\n \"name\": \"19e01883-15d8-4eb6-a7a5-3276cd668388\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount >= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of failed attempts from same client IP\",\r\n \"description\": \"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\r\n \"name\": \"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Solorigate Defender Detections\",\r\n \"description\": \"Surfaces any Defender Alert for Solorigate Events. In Azure Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftDefenderAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (MDATP)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceInfo\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\r\n \"name\": \"7249500f-3038-4b83-8549-9cd8dfa2d498\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ 'OATP'\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known PHOSPHORUS group domains/IP - October 2020\",\r\n \"description\": \"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Cisco)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (PaloAlto)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Zscaler)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Fortinet)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"OfficeATP\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (OATP)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics (Azure Firewall)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\r\n \"name\": \"3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 2\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid Indicators of Attack\",\r\n \"description\": \"Searches for triggered Indicators of Attack\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\r\n \"name\": \"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic(['foo@baz.com', 'test@foo.com']);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == 'Git.RefUpdatePoliciesBypassed'\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated >= ago(endtime)\\n| where OperationName == 'Git.RefUpdatePoliciesBypassed'\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName '(Organization)'\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_git/', Data.RepoName, '/pullrequest/', Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"PT3H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps Pull Request Policy Bypassing - Historic Allowlist\",\r\n \"description\": \"This detection builds a Allowlist of historic PR policy bypasses and compares to recent history, flagging a non manually allowlisted, non historic pull request bypass.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\r\n \"name\": \"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Office 365 Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Office 365 Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Office 365 Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2020-09-01T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OfficeATP\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (OATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"name\": \"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center for IoT\",\r\n \"displayName\": \"Create incidents based on Azure Security Center for IoT alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Security Center for IoT\",\r\n \"lastUpdatedDateUTC\": \"2019-12-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"IoT\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (ASC for IoT)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\r\n \"name\": \"ac891683-53c3-4f86-86b4-c361708e2b2b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)['foo@bar.com', 'test@foo.com'];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)['Security.','Project.','AuditLog.','Extension.'];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)['Group.UpdateGroupMembership.Add','Library.ServiceConnectionExecuted','Pipelines.PipelineModified',\\n'Release.ReleasePipelineModified', 'Git.RefUpdatePoliciesBypassed'];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps Personal Access Token (PAT) misuse\",\r\n \"description\": \"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require Allowlisting and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-23T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\r\n \"name\": \"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account's password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action)\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetResourceName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = TargetResourceName, Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type),\\n(SigninLogs\\n| where OperationName =~ \\\"Sign-in activity\\\" and ResultType has_any (\\\"50125\\\", \\\"50133\\\")\\n| project TimeGenerated, AccountType = AppDisplayName, Computer = IPAddress, Account = UserPrincipalName, Type\\n)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computer = makeset(Computer), AccountType = makeset(AccountType), Total=count() by Account, Type\\n| where Total > PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computer = makeset(Computer), Account = tostring(makeset(Account)), AccountType = makeset(AccountType), Total=count() by Type\\n| where Total > TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = tostring(Computer)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple Password Reset by user\",\r\n \"description\": \"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-09-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\r\n \"name\": \"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n), \\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer \\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer \\n), \\n(Event \\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" \\n| where EventID == 3 \\n| extend EvData = parse_xml(EventData) \\n| extend EventDetail = EvData.DataItem.EventData.Data \\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"] \\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\") \\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n) \\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Barium IP\",\r\n \"description\": \"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' \",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(WireData)\",\r\n \"dataTypes\": [\r\n \"WireData\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceNetworkEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\r\n \"name\": \"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"DNS events related to ToR proxies\",\r\n \"description\": \"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\r\n \"name\": \"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nlet PrivateIPregex = @\\\"^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\\\"; // exclude destinations that fall into this category\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated > ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n// sort into source->destination 'sessions'\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds > TimeDeltaThresholdInSeconds\\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// summarize the deltas by source->destination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers > 1.5 or outliers < -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev < MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount > TotalBeaconsThreshold and (sum_SentBytes > 0 or sum_ReceivedBytes > 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity >= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Fortinet - Beacon pattern detected\",\r\n \"description\": \"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-31T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\r\n \"name\": \"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities['Type'] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities['Address']), AttackerCountry = tostring(Entities['Location']['CountryName']);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities['Type'] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities['Directory']), MaliciousFileName = tostring(Entities['Name']), MaliciousFileHashes = tostring(Entities['FileHashes']);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don't work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) < 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName,HashAlgo = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"FileHash\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Algorithm\",\r\n \"columnName\": \"MD5\"\r\n },\r\n {\r\n \"identifier\": \"Value\",\r\n \"columnName\": \"FileHashCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Linked Malicious Storage Artifacts\",\r\n \"description\": \"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-14T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\r\n \"name\": \"f8127962-7739-4211-a4a9-390a7a00e91f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 30m;\\nlet lbperiod = 30d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated > ago(lbperiod)\\n| where EventType == 'message'\\n| where NetworkDirection == 'outbound'\\n| where SrcUserUpn != ''\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == 'message'\\n| where NetworkDirection == 'outbound'\\n| extend isProtected = todynamic(MsgParts)[0]['isProtected']\\n| extend mimePgp = todynamic(MsgParts)[0]['detectedMime']\\n| where isProtected == 'true' or mimePgp == 'application/pgp-encrypted'\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\r\n \"queryFrequency\": \"PT30M\",\r\n \"queryPeriod\": \"PT30M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Multiple protected emails to unknown recipient\",\r\n \"description\": \"Detects when multiple protected messages where sent to early not seen recipient.\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-13T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_message_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\r\n \"name\": \"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated >= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated >= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Full Admin policy created and then attached to Roles, Users or Groups\",\r\n \"description\": \"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\r\n \"tactics\": [\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\r\n \"name\": \"155e9134-d5ad-4a6f-88f3-99c220040b66\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated > ago(timeback) and TimeGenerated < ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated > ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts > 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps Pipleine modified by a New User.\",\r\n \"description\": \"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. This detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) in order to show if the user conducting the action has any associated AAD IdP alerts, you can also chose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\r\n \"name\": \"79566f41-df67-4e10-a703-c38a6213afd8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Azure Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New access credential added to Application or Service Principal\",\r\n \"description\": \"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\r\n \"name\": \"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'proxylogs'\\n| where DvcAction =~ 'Allowed'\\n| where UrlCategory contains 'Adult Themes' or\\n UrlCategory contains 'Adware' or\\n UrlCategory contains 'Alcohol' or\\n UrlCategory contains 'Illegal Downloads' or\\n UrlCategory contains 'Drugs' or\\n UrlCategory contains 'Child Abuse Content' or\\n UrlCategory contains 'Hate/Discrimination' or\\n UrlCategory contains 'Nudity' or\\n UrlCategory contains 'Pornography' or\\n UrlCategory contains 'Proxy/Anonymizer' or\\n UrlCategory contains 'Sexuality' or\\n UrlCategory contains 'Tasteless' or\\n UrlCategory contains 'Terrorism' or\\n UrlCategory contains 'Web Spam' or\\n UrlCategory contains 'German Youth Protection' or\\n UrlCategory contains 'Illegal Activities' or\\n UrlCategory contains 'Lingerie/Bikini' or\\n UrlCategory contains 'Weapons'\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\r\n \"description\": \"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\r\n \"name\": \"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps Audit Stream Disabled\",\r\n \"description\": \"Azure DevOps allow for audit logs to streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams before conducting activity and them re-enabling them after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action its unlikely to have a high false positive rate.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d645a88-2724-41a7-adea-db74c439cf79\",\r\n \"name\": \"3d645a88-2724-41a7-adea-db74c439cf79\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 5000;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\\n| where count_ > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Amount of Denied Connections from a Single Source\",\r\n \"description\": \"This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SophosXGFirewall\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\r\n \"name\": \"a357535e-f722-4afe-b375-cff362b2b376\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * 'User-Agent\\\\\\\\\\\":\\\\\\\\\\\"' UserAgent2 '\\\\\\\\' *\\n| parse ExtendedProperties with * 'UserAgent\\\", \\\"Value\\\": \\\"' UserAgent1 '\\\"' *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == 'AzureActiveDirectoryStsLogon', UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != '-'\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith '\\\\\\\"'\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malformed user agent\",\r\n \"description\": \"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CommandAndControl\",\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\r\n \"name\": \"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'proxylogs'\\n| where DvcAction =~ 'Allowed'\\n| where UrlOriginal matches regex @'\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*'\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - URI contains IP address\",\r\n \"description\": \"Malware can use IP address to communicate with C2.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\r\n \"name\": \"bf07ca9c-e408-443a-8939-6860a45a929e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps - New Extension Added\",\r\n \"description\": \"Extensions added additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. This query looks for new extensions that are not from a configurable list of approved publishers.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\r\n \"name\": \"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic(['','']);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has 'Administrators'\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith '\\\\\\\\Project Administrators' or Details endswith '\\\\\\\\Project Collection Administrators')\\n| parse Details with AddedIdentity ' was added as a member of group [' EntityName ']\\\\\\\\' GroupName\\n| extend Level = iif(GroupName == 'Project Collection Administrators', 'Organization', 'Project'), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == 'Organization', 'High', 'Medium'), AlertDetails = strcat('At ', TimeGenerated, ' UTC ', ActorUPN, '/', ActorDisplayName, ' added ', AddedIdentity, ' to the ', EntityName, ' ', Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == 'Organization'\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\r\n \"queryFrequency\": \"PT4H\",\r\n \"queryPeriod\": \"PT4H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps Administrator Group Monitoring\",\r\n \"description\": \"This detection monitors for additions to project or project collection administration groups in an Azure DevOps Organization.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\r\n \"name\": \"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco ASA - threat detection message fired\",\r\n \"description\": \"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\r\n \"name\": \"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated >= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated >= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User joining Zoom meeting from suspicious timezone\",\r\n \"description\": \"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\r\n \"name\": \"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated,\\nTI_ipEntity, CallerIpAddress, Caller, OperationName, ActivityStatus, Category, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AzureActivity\",\r\n \"description\": \"Identifies a match in AzureActivity from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\r\n \"name\": \"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated > ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount > threshold;\\nOfficeActivity \\n| where TimeGenerated >= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SharePointFileOperation via previously unseen IPs\",\r\n \"description\": \"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\r\n \"name\": \"0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == 'high' or modelSeverity_s == 'critical'\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Create Incident for XDR Alerts (Critical & High)\",\r\n \"description\": \"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Azure Sentinel usage. (Critical & High Serverity Alerts)\",\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"TrendMicroXDR\",\r\n \"dataTypes\": [\r\n \"TrendMicro_XDR_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\r\n \"name\": \"50574fac-f8d1-4395-81c7-78a463ff0c52\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SigninLogs\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure Active Directory PowerShell accessing non-AAD resources\",\r\n \"description\": \"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\r\n \"name\": \"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"DNS events related to mining pools\",\r\n \"description\": \"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\r\n \"name\": \"9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-SDPROP-CONSISTENCY\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-GPO-HARDENING\\\", \\\"C-DC-ACCESS-CONSISTENCY\\\", \\\"C-DANGEROUS-TRUST-RELATIONSHIP\\\", \\\"C-UNCONST-DELEG\\\", \\\"C-ABNORMAL-ENTRIES-IN-SCHEMA\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid Active Directory attacks pathways\",\r\n \"description\": \"Searches for triggered Indicators of Exposures related to Active Directory attacks pathways\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-07T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\r\n \"name\": \"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let threshold = 1;\\nSigninLogs\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Status = makelist(Status), StatusDetails = makelist(StatusDetails), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress) , CorrelationIds = makelist(CorrelationId) by UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), Location, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name\\n| where IPAddressCount > threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = makeset(IPAddresses), Status = makeset(Status), CorrelationIds = makeset(CorrelationIds) by StartTimeUtc, EndTimeUtc, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), Location, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Attempt to bypass conditional access rule in Azure AD\",\r\n \"description\": \"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\r\n \"name\": \"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * '(' DNSName ')' * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (DnsEvents \\n | extend DNSName = Name \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = ClientIP \\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Barium domains\",\r\n \"description\": \"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceNetworkEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\r\n \"name\": \"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from ago(starttime) to ago(endtime) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total > TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Process execution frequency anomaly\",\r\n \"description\": \"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\r\n \"name\": \"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"FileHash\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Algorithm\",\r\n \"columnName\": \"MD5\"\r\n },\r\n {\r\n \"identifier\": \"Value\",\r\n \"columnName\": \"FileHashCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SUNBURST network beacons\",\r\n \"description\": \"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-31T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceNetworkEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\r\n \"name\": \"06a9b845-6a95-4432-a78b-83919b28c375\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated > ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal > percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 3,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Time series anomaly detection for total volume of traffic\",\r\n \"description\": \"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Barracuda\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CheckPoint\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"F5\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\r\n \"name\": \"871ba14c-88ef-48aa-ad38-810f26760ca3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"OfficeActivity\\n| where Operation =~ \\\"Set-Mailbox\\\"\\n| where Parameters has \\\"ForwardingSmtpAddress\\\"\\n| extend parsed = parse_json(Parameters)\\n| mv-expand parsed\\n| where parsed.Name == \\\"ForwardingSmtpAddress\\\"\\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\\n| where isnotempty(fwdingDestination)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\" and ClientIP has ':', tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\".\\\" and ClientIP has '-', tostring(split(ClientIP,\\\"-\\\")[0]), \\nClientIP has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has ':', tostring(split(ClientIP_,\\\":\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has '-', tostring(split(ClientIP_,\\\"-\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\" and ClientIP has ':', tostring(split(ClientIP,\\\":\\\")[1]), \\nClientIP has \\\".\\\" and ClientIP has '-', tostring(split(ClientIP,\\\"-\\\")[1]), \\nClientIP has ']-', tostring(split(ClientIP,\\\"]-\\\")[1]), \\nClientIP has ']:', tostring(split(ClientIP,\\\"]:\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has ':', tostring(split(ClientIP_,\\\":\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has '-', tostring(split(ClientIP_,\\\"-\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has ']-', tostring(split(ClientIP_,\\\"]-\\\")[1]),\\nisempty(ClientIP) and ClientIP_ has ']:', tostring(split(ClientIP_,\\\"]:\\\")[1]),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \\nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \\n| where DistinctUserCount > 1\\n| mv-expand UserId\\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple users email forwarded to same destination\",\r\n \"description\": \"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\r\n \"name\": \"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'outbound'\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@'\\\\A(.*?)@', 1, SrcUserUpn)\\n| extend sender_domain = extract(@'@(.*)$', 1, SrcUserUpn)\\n| extend recipient = extract(@'\\\\A(.*?)@', 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@'@(.*)$', 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Possible data exfiltration to private email\",\r\n \"description\": \"Detects when sender sent email to the non-corporate domain and recipient's username is the same as sender's username.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-13T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_message_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\r\n \"name\": \"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n OfficeActivity\\n | where TimeGenerated >= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, ';')[0])\\n | extend Office_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Office_TimeGenerated, Url, User\\n| extend timestamp = Office_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to OfficeActivity data\",\r\n \"description\": \"Identifies a match in OfficeActivity data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\r\n \"name\": \"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Security Event log cleared\",\r\n \"description\": \"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1fa1528e-f746-4794-8a41-14827f4cb798\",\r\n \"name\": \"1fa1528e-f746-4794-8a41-14827f4cb798\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 100;\\nPulseConnectSecure\\n| where Messages startswith \\\"Login failed\\\"\\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\\n| where dcount_User > threshold\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"PulseConnectSecure - Large Number of Distinct Failed User Logins\",\r\n \"description\": \"This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PulseConnectSecure\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\r\n \"name\": \"21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"afad_parser\\n| where MessageType == 2 and Codename == \\\"Golden Ticket\\\"\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid Golden Ticket\",\r\n \"description\": \"Searches for Golden Ticket attacks\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\r\n \"name\": \"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let threshold = 20;\\nSecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !='0xc0000064' and Account !in ('\\\\\\\\', '-\\\\\\\\-')\\n// SubStatus '0xc0000064' signifies 'Account name does not exist'\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| extend Reason = case(\\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \\nSubStatus =~ '0xC000006D', 'Bad user name or password',\\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\\nSubStatus =~ '0xC0000071', 'User logon with expired password',\\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \\nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\\nSubStatus =~ '0xC0000193', 'User logon with expired account',\\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\\nSubStatus =~ '0xC0000234', 'User logon with account locked',\\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\\nstrcat('Unknown reason substatus: ', SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount >= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed logon attempts by valid accounts within 10 mins\",\r\n \"description\": \"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\r\n \"name\": \"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationName == \\\"Create role assignment\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ >= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated > ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CorrelationId = makelist(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationName, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious granting of permissions to an account\",\r\n \"description\": \"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\r\n \"name\": \"2790795b-7dba-483e-853f-44aa0bc9c985\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors > 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Wazuh - Large Number of Web errors from an IP\",\r\n \"description\": \"Identifies instances where Wazuh logged over 400 '403' Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\r\n \"name\": \"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New Agent Added to Pool by New User or of a New OS Type.\",\r\n \"description\": \"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. An attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have not added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a configurable allow list to allow for certain users to be excluded from the logic.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\r\n \"name\": \"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Base64 encoded Windows process command-lines\",\r\n \"description\": \"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2018-09-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\r\n \"name\": \"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime >= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime < ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New UserAgent observed in last 24 hours\",\r\n \"description\": \"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CommandAndControl\",\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-11T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\r\n \"name\": \"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let szOperationNames = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatus), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationName, Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope > 0.2\\n| join kind=leftsemi (\\n// Last day's activity is anomalous\\nAzureActivity\\n| where TimeGenerated >= startofday(ago(endtime))\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatus), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationName, Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope > 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatus), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious number of resource creation or deployment activities\",\r\n \"description\": \"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\r\n \"name\": \"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(lookBack) and TimeGenerated < ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"UrlCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Rare User Agent Detected\",\r\n \"description\": \"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\r\n \"name\": \"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue\\n| project LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, \\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Microsoft COVID-19 file hash indicator matches\",\r\n \"description\": \"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\r\n \"name\": \"2391ce61-8c8d-41ac-9723-d945b2e90720\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday >= coalesce(CountPrev7day,0)*threshold and CountToday >= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \\nSubStatus =~ '0xC000006D', 'Bad user name or password',\\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\\nSubStatus =~ '0xC0000071', 'User logon with expired password',\\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \\nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\\nSubStatus =~ '0xC0000193', 'User logon with expired account',\\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\\nSubStatus =~ '0xC0000234', 'User logon with account locked',\\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\\nstrcat('Unknown reason substatus: ', SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Windows logon failures\",\r\n \"description\": \"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\r\n \"name\": \"aac495a9-feb1-446d-b08e-a1164a539452\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"TI map IP entity to GitHub_CL\",\r\n \"description\": \"Identifies a match in GitHub_CL table from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n }\r\n ]\r\n}",
"StatusCode": 200
},
{
- "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f?api-version=2020-01-01",
- "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVUZW1wbGF0ZXMvODI2YmIyZjgtNzg5NC00Nzg1LTlhNmItYThhODU1ZDgzNjZmP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVUZW1wbGF0ZXMvNzM4NzAyZmQtMGE2Ni00MmM3LTg1ODYtZTMwZjA1ODNmOGZlP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
"RequestMethod": "GET",
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "8843ffea-ad7a-4552-9c7f-784fc5e1703b"
+ "8da655fb-6a39-414b-9c2f-2197f4672620"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -89,20 +89,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11998"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11998"
+ ],
"x-ms-request-id": [
- "8500fd78-7132-49a6-a180-9fea434bb234"
+ "acb2bdfd-3f08-40f2-964a-16e81098d893"
],
"x-ms-correlation-request-id": [
- "8500fd78-7132-49a6-a180-9fea434bb234"
+ "acb2bdfd-3f08-40f2-964a-16e81098d893"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T214405Z:8500fd78-7132-49a6-a180-9fea434bb234"
+ "WESTUS2:20210413T224638Z:acb2bdfd-3f08-40f2-964a-16e81098d893"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -111,10 +111,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:44:04 GMT"
+ "Tue, 13 Apr 2021 22:46:38 GMT"
],
"Content-Length": [
- "4346"
+ "2020"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -123,7 +123,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\r\n \"name\": \"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated >= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated >= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Full Admin policy created and then attached to Roles, Users or Groups\",\r\n \"description\": \"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\r\n \"tactics\": [\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\r\n \"name\": \"738702fd-0a66-42c7-8586-e30f0583f8fe\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"FileHash\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Algorithm\",\r\n \"columnName\": \"FileHashType\"\r\n },\r\n {\r\n \"identifier\": \"Value\",\r\n \"columnName\": \"FileHashCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"TEARDROP memory-only dropper\",\r\n \"description\": \"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n}",
"StatusCode": 200
}
],
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRuleTemplatesTests/List.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRuleTemplatesTests/List.json
index cb745bc77630..45114f2c2ceb 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRuleTemplatesTests/List.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRuleTemplatesTests/List.json
@@ -7,16 +7,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "4c510188-5376-478b-97c8-c5a1a3194794"
+ "e37d5f1f-2ac9-48a1-a244-3cd94891fe91"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -26,20 +26,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
"x-ms-request-id": [
- "22cc4e34-6499-4266-9c76-32b064453700"
+ "a248f055-dcaa-4270-803c-e8cc1e13f8db"
],
"x-ms-correlation-request-id": [
- "22cc4e34-6499-4266-9c76-32b064453700"
+ "a248f055-dcaa-4270-803c-e8cc1e13f8db"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T214406Z:22cc4e34-6499-4266-9c76-32b064453700"
+ "WESTUS2:20210413T224640Z:a248f055-dcaa-4270-803c-e8cc1e13f8db"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -48,10 +48,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:44:06 GMT"
+ "Tue, 13 Apr 2021 22:46:39 GMT"
],
"Content-Length": [
- "517052"
+ "800430"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -60,7 +60,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\r\n \"name\": \"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated >= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated >= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Full Admin policy created and then attached to Roles, Users or Groups\",\r\n \"description\": \"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\r\n \"tactics\": [\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\r\n \"name\": \"fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nSymantecProxySG\\n| where TimeGenerated >= timeframe\\n| mv-expand cs_categories\\n| where cs_categories has_any (\\\"Suspicious\\\",\\\"phishing\\\", \\\"hacking\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User Accessed Suspicious URL Categories\",\r\n \"description\": \"Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecProxySG\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"name\": \"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center for IoT\",\r\n \"displayName\": \"Create incidents based on Azure Security Center for IoT alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Security Center for IoT\",\r\n \"lastUpdatedDateUTC\": \"2019-12-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"IoT\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (ASC for IoT)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 2\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\r\n \"name\": \"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName == \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount > threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\\n| where OperationName == \\\"Consent to application\\\"\\n| extend IpAddress = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)), \\ntostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType , CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 3,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare application consent\",\r\n \"description\": \"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"LateralMovement\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-04T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\r\n \"name\": \"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated,\\nTI_ipEntity, CallerIpAddress, Caller, OperationName, ActivityStatus, Category, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AzureActivity\",\r\n \"description\": \"Identifies a match in AzureActivity from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\r\n \"name\": \"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Office 365 Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Office 365 Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Office 365 Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2020-09-01T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OfficeATP\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (OATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 1\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\r\n \"name\": \"106813db-679e-4382-a51b-1bfc463befc3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CSL_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CSL_TimeGenerated, PA_Url, DeviceName\\n| extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to PaloAlto data\",\r\n \"description\": \"Identifies a match in PaloAlto data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\r\n \"name\": \"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated > ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 3 downloads/uploads from a new user agent today\\n| where recentCount > threshold;\\nOfficeActivity \\n| where TimeGenerated > ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SharePointFileOperation via devices with previously unseen user agents\",\r\n \"description\": \"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\r\n \"name\": \"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData = \\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from ago(starttime) to ago(endtime) step timeframe by Process;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total > TotalEventsThreshold;\\nTimeSeriesAlerts\\n| join (\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated \\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score \\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Process execution frequency anomaly\",\r\n \"description\": \"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors. \\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns. \\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\r\n \"name\": \"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (ago(starttime)..ago(endtime))\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds > TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents > TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent > PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Palo Alto - potential beaconing detected\",\r\n \"description\": \"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c775a46b-21b1-46d7-afa6-37e3e577a27b\",\r\n \"name\": \"c775a46b-21b1-46d7-afa6-37e3e577a27b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 15;\\nSymantecVIP\\n| where TimeGenerated > timeframe\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\\n| where Total > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Failed Authentication from Invalid Inputs\",\r\n \"description\": \"Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecVIP\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\r\n \"name\": \"69a45b05-71f5-45ca-8944-2e038747fb39\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n) on Account\\n// Make sure that the first connection is after the second connection --> SecondHop > FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --> FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --> FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop > FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop <= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount >= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"RDP Nesting\",\r\n \"description\": \"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \\nto another system with the same account within the 60 minutes. Additionally, if historically daily \\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\r\n \"name\": \"cf3ede88-a429-493b-9108-3e46d3c741f7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated > ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess >= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SecurityEvent - Multiple authentication failures followed by a success\",\r\n \"description\": \"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\r\n \"name\": \"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to AWS Security Group ingress and egress settings\",\r\n \"description\": \"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\r\n \"name\": \"84cf1d59-f620-4fee-b569-68daf7008b7b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 10;\\nQualysHostDetection_CL\\n| where TimeGenerated >= timeframe\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s >= threshold\\n| extend timestamp = StartTime\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"New High Severity Vulnerability Detected Across Multiple Hosts\",\r\n \"description\": \"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"QualysVulnerabilityManagement\",\r\n \"dataTypes\": [\r\n \"QualysHostDetection_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\r\n \"name\": \"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable/remove policy\\n| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"AntiPhish\\\", \\\"SafeAttachment\\\", \\\"SafeLinks\\\", \\\"Dlp\\\", \\\"Audit\\\")\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Office policy tampering\",\r\n \"description\": \"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\r\n \"name\": \"2b701288-b428-4fb8-805e-e4372c574786\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\nlet timeRange = 30d;\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60min; \\n//Get Teams successful signins globally\\nlet signinData =\\n SigninLogs\\n | where TimeGenerated >= ago(timeRange)\\n | where AppDisplayName has \\\"Teams\\\"\\n | where ConditionalAccessStatus =~ \\\"success\\\"\\n | extend country = tostring(LocationDetails['countryOrRegion'])\\n | where isnotempty(country) and isnotempty(IPAddress);\\n// Collect successful signins to teams\\nlet loginEvents = \\n signinData\\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n//Calcualte delta between logins\\nlet loginDelta =\\n loginEvents\\n | summarize max(count_), min(count_) by UserPrincipalName\\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\\n | where delta >= deltaThreshold;\\n//Count number of countries used to sign in\\nlet countryCount =\\n loginEvents\\n | summarize Countries = dcount(country) by UserPrincipalName;\\n//Join delta and sign in counts to successful logins\\nloginDelta\\n| join kind=rightouter (\\n loginEvents\\n) on UserPrincipalName\\n| join kind=rightouter (\\n countryCount\\n) on UserPrincipalName\\n//Check where the record meets the minimum required countries\\n| where Countries >= minimumCountries\\n| join kind=leftouter (\\n signinData\\n | summarize count() by country\\n | join (\\n //Now get the total number of logins from any country and join it to the previous count in a single table\\n signinData\\n | summarize count() by country\\n | summarize sum(count_), make_list(country)\\n | mv-expand list_country\\n | extend country = tostring(list_country)\\n ) on country\\n | summarize by country, count_, sum_count_\\n //Now calculate each countries prevalence within login events\\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\\n | project-away sum_count_\\n | order by prevalence\\n) on country\\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\\n| where prevalence < countryPrevalenceThreshold\\n| where min_count_ == count_\\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\\n| extend EventTimes = list_TimeGenerated\\n| extend SuspiciousIP = IPAddress\\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\\n//Teams join to collect operations the user account has performed within the given time range\\n| join kind=inner( \\n TeamsData \\n | where TimeGenerated >= ago(timeRange)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\\n) on $left.UserPrincipalName == $right.UserId\\n| mv-expand StartTime = EventTimes\\n| extend StartTime = make_datetime(StartTime)\\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\\n//Limit to operations carried out by the user account in the timeframe the IP was active\\n| where OperationTime between (StartTime .. ProjectedEndTime)\\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n//Filter on suspicious actions\\n| extend activitySummary = pack(tostring(StartTime), pack(\\\"Operation\\\",tostring(Operation), \\\"OperationTime\\\", OperationTime))\\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous login followed by Teams action\",\r\n \"description\": \"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\r\n \"name\": \"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// Replace these with the usename or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic(['vip1@email.com','vip2@email.com']);\\nlet timeframe = 1d;\\nLAQueryLogs\\n| where TimeGenerated > ago(timeframe)\\n| where QueryText has_any (vips)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Users searching for VIP user activity\",\r\n \"description\": \"This query monitors for users running Log Analytics queries that contain filters \\nfor specific, defined VIP user accounts. Use this detection to alert for users specifically \\nsearching for activity of sensitive users.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-23T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(Query Audit)\",\r\n \"dataTypes\": [\r\n \"LAQueryLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\r\n \"name\": \"223db5c1-1bf8-47d8-8806-bed401b356a4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet azPortalSignins = materialize(SigninLogs\\n| where TimeGenerated >= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated >= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated >= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName, Id\\n| where TimeGenerated > TimeGenerated1\\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated >= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend FullLocation = strcat(Location,'|', LocationDetails.state, '|', LocationDetails.city)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation\\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed login attempts to Azure Portal\",\r\n \"description\": \"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\r\n \"name\": \"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Security Event log cleared\",\r\n \"description\": \"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\r\n \"name\": \"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookBack_long = 14d;\\nlet lookBack_med = 7d;\\nlet lookBack = 1d;\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack_long))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope > 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack_med))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n| top 50 by Slope desc\\n| where Slope > 0.3\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n| where Slope > 5\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous sign-in location by user account and authenticating application\",\r\n \"description\": \"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 7-day and 14-day periods.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\r\n \"name\": \"ec21493c-2684-4acd-9bc2-696dbad72426\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated > ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, '.')\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC's that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n | where DeviceVendor =~ 'Palo Alto Networks'\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, '.')\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CSL_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CSL_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to PaloAlto\",\r\n \"description\": \"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\r\n \"name\": \"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet timeRange = 1d;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| where TimeGenerated >= ago(timeRange)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName contains \\\"Azure Portal\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Brute force attack against Azure Portal\",\r\n \"description\": \"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a9956d3a-07a9-44a6-a279-081a85020cae\",\r\n \"name\": \"a9956d3a-07a9-44a6-a279-081a85020cae\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 15;\\nlet rejectedAccess = SymantecVIP\\n| where TimeGenerated > timeframe\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\\n| where Total > threshold\\n| project ClientIP;\\nSymantecVIP\\n| where TimeGenerated > timeframe\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| join kind=inner rejectedAccess() on ClientIP\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ClientDeniedAccess\",\r\n \"description\": \"Creates an incident in the event a Client has an excessive amounts of denied access requests.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecVIP\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\r\n \"name\": \"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = SecurityEvent \\n| where TimeGenerated > ago(timeframe)\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, \\nGroupAddTargetUserName = TargetUserName, GroupAddTargetDomainName = TargetDomainName, GroupAddTargetSid = TargetSid, \\nGroupAddSubjectUserName = SubjectUserName, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\\nlet GroupCreated = SecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, \\nGroupCreateTargetUserName = TargetUserName, GroupCreateTargetDomainName = TargetDomainName, GroupCreateSubjectUserName = SubjectUserName, \\nGroupCreateSubjectDomainName = SubjectDomainName, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectUserName, HostCustomEntity = GroupCreateComputer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Group added to built in domain local or global group\",\r\n \"description\": \"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\r\n \"name\": \"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| project TimeGenerated, OperationName, Resource, CallerIPAddress \\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(timeframe)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s \\n) on Resource, TimeGenerated \\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure Key Vault access TimeSeries anomaly\",\r\n \"description\": \"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm \\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an \\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\r\n \"name\": \"884c4957-70ea-4f57-80b9-1bca3890315b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeFrame = 1d;\\nlet timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where TimeGenerated >= ago(timeFrame)\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"&\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"&\\\")[0]),tostring(split(csUriQuery, \\\"&\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount >= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of failed logons by a user\",\r\n \"description\": \"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8b8aec75-dc5e-4661-bc0c-9e4fff6aad02\",\r\n \"name\": \"8b8aec75-dc5e-4661-bc0c-9e4fff6aad02\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"T1027\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": [\r\n {\r\n \"supportedValues\": [\r\n \"Highly Confidential to Confidential\",\r\n \"Highly Confidential to General\",\r\n \"Highly Confidential to Public\",\r\n \"Highly Confidential to Archive\",\r\n \"Confidential to General\",\r\n \"Confidential to Public\",\r\n \"Confidential to Archive\",\r\n \"General to Public\",\r\n \"General to Archive\",\r\n \"Public to Archive\"\r\n ],\r\n \"values\": [\r\n \"Highly Confidential to General\",\r\n \"Highly Confidential to Public\",\r\n \"Highly Confidential to Archive\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Document sensitivity label change\",\r\n \"description\": \"Sensitivity labels are security settings that have been automatically or manually applied to your files.\\nSometimes it is normal to change the labels of files.\\nChoose which label changes are severe enough to generate anomalies.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n },\r\n {\r\n \"supportedValues\": [\r\n \".doc\",\r\n \".docm\",\r\n \".docx\",\r\n \".dot\",\r\n \".dotm\",\r\n \".dotx\"\r\n ],\r\n \"values\": [\r\n \".doc\",\r\n \".docx\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Document type\",\r\n \"description\": \"Choose which document types to include or exclude from this rule.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n },\r\n {\r\n \"supportedValues\": [\r\n \"Discover, open, remove protection\",\r\n \"Discover, open, remove label\",\r\n \"Discover, open, downgrade label\",\r\n \"Discover, remove protection\",\r\n \"Discover, remove label\",\r\n \"Discover, downgrade label\"\r\n ],\r\n \"values\": [\r\n \"Discover, open, remove protection\",\r\n \"Discover, open, downgrade label\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Document action sequence\",\r\n \"description\": \"Document action sequence is the order of events that occurred while changes were made to these files. Based on the way you normally interact with your files, you may choose which actions are flagged as anomalous.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"singleSelectObservations\": [\r\n {\r\n \"supportedValues\": [\r\n \"Include\",\r\n \"Exclude\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"value\": \"Include\",\r\n \"name\": \"Private IP\",\r\n \"description\": \"Private IP relates to the status of the IP address where the operation occurred. Choose to either include or exclude operations from Private IPs.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"prioritizeExcludeObservations\": [\r\n {\r\n \"prioritize\": \"[60-100]\",\r\n \"exclude\": \"[200-]\",\r\n \"dataType\": \"number\",\r\n \"name\": \"Document count\",\r\n \"description\": \"Document count is the number of files that were involved in a particular downgrade operation. Choose a number that would indicate an unusual number of files to be edited in one batch.\\nYou may *prioritize* a certain range of numbers and you may *exclude* a certain range of numbers.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n },\r\n {\r\n \"prioritize\": null,\r\n \"exclude\": \"financial, $hr.+$\",\r\n \"dataType\": \"string\",\r\n \"name\": \"Document name\",\r\n \"description\": \"Choose to *prioritize* or *exclude* strings that appear in the names of documents. You may enter plain text and regular expressions separated by commas.\\n\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ],\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0.3\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.3\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"PT2H\",\r\n \"displayName\": \"(Preview) Anomalous Document Mass Downgrade\",\r\n \"description\": \"Description for Anomalous mass downgrade of sensitive documents template\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-12T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureInformationProtection\",\r\n \"dataTypes\": [\r\n \"InformationProtectionLogs_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0558155e-4556-447e-9a22-828f2a7de06b\",\r\n \"name\": \"0558155e-4556-447e-9a22-828f2a7de06b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nProofPointTAPMessagesDelivered_CL\\n| where TimeGenerated >= timeframe\\n| mv-expand todynamic(threatsInfoMap_s)\\n| mv-expand todynamic(messageParts_s)\\n| extend threatType = tostring(threatsInfoMap_s.threatType), classification = tostring(threatsInfoMap_s.classification)\\n| extend filename = tostring(messageParts_s.filename)\\n| where threatType =~ \\\"attachment\\\" and classification =~ \\\"malware\\\"\\n| summarize filenames = make_set(filename), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, threatType, classification, Subject = subject_s\\n| extend timestamp = StartTime, AccountCustomEntity = Recipient, IPCustomEntity = SenderIPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware attachment delivered\",\r\n \"description\": \"This query identifies a message containing a malware attachment that was delivered.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointTAP\",\r\n \"dataTypes\": [\r\n \"ProofPointTAPMessagesDelivered_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\r\n \"name\": \"32555639-b639-4c2b-afda-c0ae0abefa55\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTimeUtc desc nulls last\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Monitor AWS Credential abuse or hijacking\",\r\n \"description\": \"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57e56fc9-417a-4f41-a579-5475aea7b8ce\",\r\n \"name\": \"57e56fc9-417a-4f41-a579-5475aea7b8ce\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nlet threshold = 1000;\\nInfobloxNIOS\\n| where TimeGenerated >= ago(timeframe)\\n| where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\\n| where count_ > threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n | where TimeGenerated >= ago(timeframe)\\n ) on ServerIP\\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential DHCP Starvation Attack\",\r\n \"description\": \"This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"InfobloxNIOS\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\r\n \"name\": \"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nDnsEvents\\n| where TimeGenerated > ago(timeframe)\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"DNS events related to mining pools\",\r\n \"description\": \"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\r\n \"name\": \"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n SigninLogs | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailRecipient column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend Region = tostring(LocationDetails[\\\"countryOrRegion\\\"]), State = tostring(LocationDetails[\\\"state\\\"]), City = tostring(LocationDetails[\\\"city\\\"])\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.UserPrincipalName\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SigninLogs\",\r\n \"description\": \"Identifies a match in SigninLogs table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\r\n \"name\": \"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n SecurityAlert\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nAlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to SecurityAlert data\",\r\n \"description\": \"Identifies a match in SecurityAlert data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\r\n \"name\": \"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet threshold = 15;\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount > threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SSH - Potential Brute Force\",\r\n \"description\": \"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\r\n \"name\": \"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| where StartTimeUtc >= ago(timeframe)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Base64 encoded Windows process command-lines\",\r\n \"description\": \"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2018-09-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\r\n \"name\": \"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n |union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map File Hash to CommonSecurityLog Event\",\r\n \"description\": \"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\r\n \"name\": \"f948a32f-226c-4116-bddd-d95e91d97eb9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Suspicious application consent similar to O365 Attack Toolkit\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-06-29T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f86885f-f31f-4e66-a39d-352771ee789e\",\r\n \"name\": \"9f86885f-f31f-4e66-a39d-352771ee789e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nCarbonBlackEvents_CL\\n| where TimeGenerated > timeframe\\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\\n| where targetApp_effectiveReputation_s =~ \\\"KNOWN_MALWARE\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Malware Detected\",\r\n \"description\": \"This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"VMwareCarbonBlack\",\r\n \"dataTypes\": [\r\n \"CarbonBlackEvents_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\r\n \"name\": \"a357535e-f722-4afe-b375-cff362b2b376\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let endtime = 1d;\\n(union isfuzzy=true\\n(OfficeActivity | where TimeGenerated >= ago(endtime) | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where TimeGenerated >= ago(endtime)\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation, UserAgent = extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string))),\\n(AzureDiagnostics\\n| where TimeGenerated >= ago(endtime)\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")))\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \\\"\\\\\\\"\\\"\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationNames = makeset(OperationName), UserAgentCount = dcount(UserAgent), \\nUserAgentList = makeset(UserAgent), RecordTypes = makeset(RecordType) by UserId, ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malformed user agent\",\r\n \"description\": \"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CommandAndControl\",\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\r\n \"name\": \"155f40c6-610d-497d-85fc-3cf06ec13256\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DestinationIPAddress in (IPList) or DNSName in~ (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) or isnotempty(DNSName)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account )\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Phosphorus group domains/IP\",\r\n \"description\": \"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 1\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\r\n \"name\": \"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to AWS Elastic Load Balancer security groups\",\r\n \"description\": \"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\r\n \"name\": \"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SigninLogs\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = AlternateSignInName\\n| extend IPCustomEntity = IPAddress\\n| extend URLCustomEntity = ClientAppUsed\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Explicit MFA Deny\",\r\n \"description\": \"User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\r\n \"name\": \"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = ago(1d);\\nlet threshold = 1;\\nSigninLogs\\n| where TimeGenerated >= timeRange\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Status = makelist(Status), StatusDetails = makelist(StatusDetails), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress) , CorrelationIds = makelist(CorrelationId) by UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), Location, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name\\n| where IPAddressCount > threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = makeset(IPAddresses), Status = makeset(Status), CorrelationIds = makeset(CorrelationIds) by StartTimeUtc, EndTimeUtc, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), Location, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Attempt to bypass conditional access rule in Azure AD\",\r\n \"description\": \"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\r\n \"name\": \"173f8699-6af5-484a-8b06-8c47ba89b380\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) > max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple Teams deleted by a single user\",\r\n \"description\": \"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Azure Sentinel.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-13T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity (Teams)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\r\n \"name\": \"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nDnsEvents\\n| where TimeGenerated > ago(timeframe)\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"DNS events related to ToR proxies\",\r\n \"description\": \"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\r\n \"name\": \"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n SecurityAlert | where TimeGenerated >= ago(dt_lookBack)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend SecurityAlert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.EntityEmail\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityAlert_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = SecurityAlert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SecurityAlert\",\r\n \"description\": \"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\r\n \"name\": \"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MLBehaviorAnalytics\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Anomalous SSH Login Detection\",\r\n \"description\": \"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Azure Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\r\n \"name\": \"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated > ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld > threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld > threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P10D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential DGA detected\",\r\n \"description\": \"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\r\n \"name\": \"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco ASA - average attack detection rate increase\",\r\n \"description\": \"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\r\n \"name\": \"500415fb-bba7-4227-a08a-9857fb61b6a7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| extend p = parse_json(Parameters)\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\n \\\"Unknown\\\"\\n ) \\n| mvexpand p\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\n| extend RedirectTo = p.Value\\n| extend ClientIPOnly = case( \\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"-\\\")[0]), \\n ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\n ClientIP\\n ) \\n| extend Port = case(\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP,\\\":\\\")[1]),\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP,\\\"-\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"]-\\\")[1]),\\n ClientIP\\n )\\n| extend ClientIP = ClientIPOnly\\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Mail redirect via ExO transport rule\",\r\n \"description\": \"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-05-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\r\n \"name\": \"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where TimeGenerated >= ago(timeframe) \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where TimeGenerated >= ago(timeframe) \\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where TimeGenerated >= ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(WireData \\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(SigninLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated >= ago(timeframe)\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known IRIDIUM IP\",\r\n \"description\": \"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(WireData)\",\r\n \"dataTypes\": [\r\n \"WireData\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\r\n \"name\": \"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, '|', 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\r\n \"description\": \"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureNetworkAnalytics_CL(NSG Flow Logs)\",\r\n \"dataTypes\": [\r\n \"AzureNetworkAnalytics_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\r\n \"name\": \"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.DestinationUserID\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to CommonSecurityLog\",\r\n \"description\": \"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\r\n \"name\": \"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where TimeGenerated > ago(timeframe) \\n| where CommandLine contains \\\".decode('base64')\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Process executed from binary hidden in Base64 encoded file\",\r\n \"description\": \"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\r\n \"name\": \"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Active Directory Identity Protection\",\r\n \"displayName\": \"Create incidents based on Azure Active Directory Identity Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectoryIdentityProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (IPC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\r\n \"name\": \"2391ce61-8c8d-41ac-9723-d945b2e90720\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday >= coalesce(CountPrev7day,0)*threshold and CountToday >= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \\nSubStatus =~ '0xC000006D', 'Bad user name or password',\\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\\nSubStatus =~ '0xC0000071', 'User logon with expired password',\\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \\nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\\nSubStatus =~ '0xC0000193', 'User logon with expired account',\\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\\nSubStatus =~ '0xC0000234', 'User logon with account locked',\\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\\nstrcat('Unknown reason substatus: ', SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Windows logon failures\",\r\n \"description\": \"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\r\n \"name\": \"f2dd4a3a-ebac-4994-9499-1a859938c947\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, 'linefit')\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated \\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score;\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog \\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime))) \\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024) \\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP), DestinationPortList = make_set(DestinationPort), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB\\n| where TotalSentBytesinMB > bytessentperhourthreshold\\n),\\n(\\nVMConnection \\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime))) \\n| extend DeviceVendor = \\\"VMConnection\\\", SourceIP = SourceIp, DestinationIP = DestinationIp\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP), DestinationPortList = make_set(DestinationPort), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DestinationIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB \\n| where TotalSentBytesinMB > bytessentperhourthreshold\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc \\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies \\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP), DestinationIPList = make_set(DestinationIPList) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount \\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Time series anomaly for data size transferred to public internet\",\r\n \"description\": \"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. \\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated. \\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour. \\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\r\n \"name\": \"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"THALLIUM domains included in DCU takedown\",\r\n \"description\": \"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-01-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\r\n \"name\": \"06a9b845-6a95-4432-a78b-83919b28c375\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 25;\\nlet TimeSeriesData = CommonSecurityLog \\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n//Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score;\\n//Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order \\nTimeSeriesAlerts \\n| join (\\n CommonSecurityLog \\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP), DestinationPortlist = make_set(DestinationPort) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor \\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal > percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist), DestinationPortlist = make_set(DestinationPortlist) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 3,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Time series anomaly detection for total volume of traffic\",\r\n \"description\": \"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns. \\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns. \\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour. \\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Barracuda\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CheckPoint\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"F5\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\r\n \"name\": \"3533f74c-9207-4047-96e2-0eb9383be587\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Suspicious application consent for offline access\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-06-29T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\r\n \"name\": \"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 10m;\\nlet threshold = 20;\\nSecurityEvent \\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !='0xc0000064' and Account !in ('\\\\\\\\', '-\\\\\\\\-')\\n// SubStatus '0xc0000064' signifies 'Account name does not exist'\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| extend Reason = case(\\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \\nSubStatus =~ '0xC000006D', 'Bad user name or password',\\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\\nSubStatus =~ '0xC0000071', 'User logon with expired password',\\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \\nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\\nSubStatus =~ '0xC0000193', 'User logon with expired account',\\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\\nSubStatus =~ '0xC0000234', 'User logon with account locked',\\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\\nstrcat('Unknown reason substatus: ', SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount >= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed logon attempts by valid accounts within 10 mins\",\r\n \"description\": \"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\r\n \"name\": \"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n| where isnotempty(FileHashValue)\\n| join (\\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map File Hash to Security Event\",\r\n \"description\": \"Identifies a match in Security Event data from any File Hash IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\r\n \"name\": \"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n DnsEvents\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to DnsEvent\",\r\n \"description\": \"Identifies a match in DnsEvent table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\r\n \"name\": \"f110287e-1358-490d-8147-ed804b328514\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AWSCloudTrail | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AWSCloudTrail\",\r\n \"description\": \"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\r\n \"name\": \"ef88eb96-861c-43a0-ab16-f3835a97c928\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\\\$Volume){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nlet decodedPS = ProcessCreationEvents\\n| where TimeGenerated >= ago(timeframe) \\n| where CommandLine contains \\\" -encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, ' ')[0]), CommandLine\\n// Note: currently the base64_decodestring function is limited to supporting UTF8\\n| extend decodedCommand = translate('\\\\0','', base64_decodestring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\\n(decodedPS\\n| union \\n(ProcessCreationEvents\\n| where TimeGenerated >= ago(timeframe)\\n| where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\")\\n| where CommandLine !contains \\\"-encodedcommand\\\")\\n| extend StartTimeUtc = TimeGenerated\\n)\\n| where CommandLine matches regex regexEmpire\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Powershell Empire cmdlets seen in command line\",\r\n \"description\": \"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\r\n \"name\": \"643c2025-9604-47c5-833f-7b4b9378a1f5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet Suspicious_signins = \\nSigninLogs\\n| where TimeGenerated >= ago(1d)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress != \\\"127.0.0.1\\\"\\n| summarize count() by IPAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where TimeGenerated > ago(1d)\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AzureAD logons but success logon to AWS Console\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\r\n \"name\": \"7249500f-3038-4b83-8549-9cd8dfa2d498\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where TimeGenerated >= ago(timeframe) \\n| where ProviderName =~ 'OATP'\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where TimeGenerated >= ago(timeframe) \\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known PHOSPHORUS group domains/IP - October 2020\",\r\n \"description\": \"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Cisco)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (PaloAlto)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Zscaler)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Fortinet)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"OfficeATP\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (OATP)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics (Azure Firewall)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\r\n \"name\": \"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account's password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where OperationName has_any (pWord) and OperationName has_any (action)\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetResourceName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = TargetResourceName, Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type),\\n(SigninLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where OperationName =~ \\\"Sign-in activity\\\" and ResultType has_any (\\\"50125\\\", \\\"50133\\\")\\n| project TimeGenerated, AccountType = AppDisplayName, Computer = IPAddress, Account = UserPrincipalName, Type\\n)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computer = makeset(Computer), AccountType = makeset(AccountType), Total=count() by Account, Type\\n| where Total > PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computer = makeset(Computer), Account = tostring(makeset(Account)), AccountType = makeset(AccountType), Total=count() by Type\\n| where Total > TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = tostring(Computer)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple Password Reset by user\",\r\n \"description\": \"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-09-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\r\n \"name\": \"327cd4ed-ca42-454b-887c-54e1c91363c6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Microsoft Defender Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Microsoft Defender Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Microsoft Defender Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-10-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftDefenderAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (MDATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 1\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\r\n \"name\": \"44a555d8-ecee-4a25-95ce-055879b4b14b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeFrame = 1d;\\nlet timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| where TimeGenerated >= ago(timeFrame)\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount >= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of connections by client IP on many ports\",\r\n \"description\": \"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\r\n \"name\": \"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n AuditLogs\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nAudit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to AuditLogs\",\r\n \"description\": \"Identifies a match in AuditLogs from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\r\n \"name\": \"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let szOperationNames = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatus), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationName, Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope > 0.2\\n| join kind=leftsemi (\\n// Last day's activity is anomalous\\nAzureActivity\\n| where TimeGenerated >= startofday(ago(endtime))\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatus), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationName, Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope > 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatus), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious number of resource creation or deployment activities\",\r\n \"description\": \"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-18T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\r\n \"name\": \"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 10;\\nQualysHostDetection_CL\\n| where TimeGenerated >= timeframe\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ >= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High Number of Urgent Vulnerabilities Detected\",\r\n \"description\": \"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"QualysVulnerabilityManagement\",\r\n \"dataTypes\": [\r\n \"QualysHostDetection_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\r\n \"name\": \"39198934-62a0-4781-8416-a81265c03fd6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Suspicious application consent similar to PwnAuth\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-06-29T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\r\n \"name\": \"f71aba3d-28fb-450b-b192-4e76a83015c8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Fusion\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"displayName\": \"Advanced Multistage Attack Detection\",\r\n \"description\": \"Using Fusion technology based on machine learning, Azure Sentinel automatically detects multistage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nThere are a total of 70 Fusion incident types detected by Azure Sentinel.\\n- 65 of these show the combination of suspicious Azure Active Directory sign-in events followed by anomalous Office 365 activity. Out of these 65, 30 are in public preview. \\n- The remaining five incident types show the combination of anomalous signals from Microsoft Defender Advanced Threat Protection and from Palo Alto Networks firewalls. These five types are all in public preview.\\n\\nTo detect these multistage attacks, the following data connectors must be configured:\\n- Azure Active Directory Identity Protection.\\n- Microsoft Cloud App Security.\\n- Microsoft Defender Advanced Threat Protection.\\n- Palo Alto Networks.\\n\\nFor a full list and description of each scenario that is supported for these multistage attacks, go to https://aka.ms/SentinelFusion.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"CommandAndControl\",\r\n \"DefenseEvasion\",\r\n \"Discovery\",\r\n \"Execution\",\r\n \"Exfiltration\",\r\n \"Impact\",\r\n \"InitialAccess\",\r\n \"LateralMovement\",\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-09T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\r\n \"name\": \"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated > ago(2*timeframe) \\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectUserName, TargetSid, SubjectUserSid \\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated > ago(timeframe) \\n // A user account was disabled \\n | where EventID == 4725\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid \\n) on Computer, TargetUserName\\n| where deletionTime - creationTime < spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) >= threshold\\n| project TimeDelta, creationTime, CreateEventID, Computer, TargetUserName, UserPrincipalName, AccountUsedToCreate, \\ndeletionTime, DeleteEventID, AccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account enabled and disabled within 10 mins\",\r\n \"description\": \"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\r\n \"name\": \"75bf9902-0789-47c1-a5d8-f57046aa72df\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]);\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents \\n| where TimeGenerated >= ago(timeframe)\\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware in the recycle bin\",\r\n \"description\": \"Identifies malware that has been hidden in the recycle bin.\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2018-09-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\r\n \"name\": \"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nAzureActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where OperationName in (operationList)\\n| where ActivityStatus == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationName, ActivityStatus, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Creation of expensive computes in Azure\",\r\n \"description\": \"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\r\n \"name\": \"aac495a9-feb1-446d-b08e-a1164a539452\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"ThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(24h)\\n| where Action == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | where TimeGenerated >= ago(24h)\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"TI map IP entity to GitHub_CL\",\r\n \"description\": \"Identifies a match in GitHub_CL table from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34663177-8abf-4db1-b0a4-5683ab273f44\",\r\n \"name\": \"34663177-8abf-4db1-b0a4-5683ab273f44\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 20;\\nPulseConnectSecure\\n| where TimeGenerated >= timeframe\\n| where Messages contains \\\"Login failed\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\\n| where count_ > threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"PulseConnectSecure - Potential Brute Force Attempts\",\r\n \"description\": \"This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PulseConnectSecure\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\r\n \"name\": \"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to Amazon VPC settings\",\r\n \"description\": \"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\r\n \"tactics\": [\r\n \"PrivilegeEscalation\",\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\r\n \"name\": \"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let szOperationNames = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationName, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated > ago(endtime)\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatus = makeset(ActivityStatus), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious Resource deployment\",\r\n \"description\": \"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\r\n \"name\": \"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = 'FileUploaded';\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic(['exe', 'inf', 'gzip', 'cmd', 'bat']);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated >= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount > threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])\\n| extend UserIdUserFolderFormat = tolower(replace('@|\\\\\\\\.', '_',UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"New executable via Office FileUploaded Operation\",\r\n \"description\": \"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes 'exe', 'inf', 'gzip', 'cmd', 'bat' file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-03-02T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\r\n \"name\": \"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated > ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount > threshold;\\nOfficeActivity \\n| where TimeGenerated >= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SharePointFileOperation via previously unseen IPs\",\r\n \"description\": \"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\r\n \"name\": \"871ba14c-88ef-48aa-ad38-810f26760ca3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 7d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where Operation =~ \\\"Set-Mailbox\\\"\\n| where Parameters has \\\"ForwardingSmtpAddress\\\"\\n| extend parsed = parse_json(Parameters)\\n| mv-expand parsed\\n| where parsed.Name == \\\"ForwardingSmtpAddress\\\"\\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\\n| where isnotempty(fwdingDestination)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\" and ClientIP has ':', tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\".\\\" and ClientIP has '-', tostring(split(ClientIP,\\\"-\\\")[0]), \\nClientIP has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has ':', tostring(split(ClientIP_,\\\":\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has '-', tostring(split(ClientIP_,\\\"-\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\" and ClientIP has ':', tostring(split(ClientIP,\\\":\\\")[1]), \\nClientIP has \\\".\\\" and ClientIP has '-', tostring(split(ClientIP,\\\"-\\\")[1]), \\nClientIP has ']-', tostring(split(ClientIP,\\\"]-\\\")[1]), \\nClientIP has ']:', tostring(split(ClientIP,\\\"]:\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has ':', tostring(split(ClientIP_,\\\":\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has '-', tostring(split(ClientIP_,\\\"-\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has ']-', tostring(split(ClientIP_,\\\"]-\\\")[1]),\\nisempty(ClientIP) and ClientIP_ has ']:', tostring(split(ClientIP_,\\\"]:\\\")[1]),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \\nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \\n| where DistinctUserCount > 1\\n| mv-expand UserId\\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple users email forwarded to same destination\",\r\n \"description\": \"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/427e4c9e-8cf4-4094-a684-a2d060dbca38\",\r\n \"name\": \"427e4c9e-8cf4-4094-a684-a2d060dbca38\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 50;\\nSophosXGFirewall\\n| where TimeGenerated >= timeframe\\n| where Log_Type =~ \\\"Firewall\\\"\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\\n| where dcount_Dst_Port > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Port Scan Detected\",\r\n \"description\": \"This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SophosXGFirewall\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\r\n \"name\": \"4b93c5af-d20b-4236-b696-a28b8c51407f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated > ago(2*timeframe) \\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectUserName, TargetSid, SubjectUserSid \\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated > ago(timeframe) \\n // A user account was deleted \\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid \\n) on Computer, TargetUserName\\n| where deletionTime - creationTime < spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) >= threshold\\n| project TimeDelta, creationTime, CreateEventID, Computer, TargetUserName, UserPrincipalName, AccountUsedToCreate, \\ndeletionTime, DeleteEventID, AccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account created and deleted within 10 mins\",\r\n \"description\": \"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\r\n \"name\": \"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nlet PrivateIPregex = @\\\"^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\\\"; // exclude destinations that fall into this category\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated > ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n// sort into source->destination 'sessions'\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds > TimeDeltaThresholdInSeconds\\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// summarize the deltas by source->destination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers > 1.5 or outliers < -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev < MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount > TotalBeaconsThreshold and (sum_SentBytes > 0 or sum_ReceivedBytes > 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity >= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Fortinet - Beacon pattern detected\",\r\n \"description\": \"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-31T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\r\n \"name\": \"e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet FailureThreshold = 15;\\nlet FailedEvents = Okta_CL\\n| where TimeGenerated > timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where dcount_actor_alternateId_s > FailureThreshold\\n| project client_ipAddress_s, TimeGenerated;\\nOkta_CL\\n| where TimeGenerated > timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\\n| sort by TimeGenerated desc\\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential Password Spray Attack\",\r\n \"description\": \"This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\r\n \"name\": \"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeRange = 1d;\\nlet s_threshold = 30;\\nlet l_threshold = 3;\\nSigninLogs\\n| where TimeGenerated >= ago(timeRange)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser \\n| extend LocationString= strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated),LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount > s_threshold and LocationCount >= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Distributed Password cracking attempts in AzureAD\",\r\n \"description\": \"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\r\n \"name\": \"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n OfficeActivity\\n | where TimeGenerated >= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, ';')[0])\\n | extend Office_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Office_TimeGenerated, Url, User\\n| extend timestamp = Office_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to OfficeActivity data\",\r\n \"description\": \"Identifies a match in OfficeActivity data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\r\n \"name\": \"a35f2c18-1b97-458f-ad26-e033af18eb99\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\n// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nSecurityEvent \\n| where TimeGenerated > ago(timeframe)\\n// When MemberName contains '-' this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = tostring(split(tostring(split(MemberName, \\\",\\\")[0]),\\\"CN=\\\")[1])\\n| project StartTimeUtc = TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account added to built in domain local or global group\",\r\n \"description\": \"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\r\n \"name\": \"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n SecurityAlert\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\", 1, tolower(Entities))\\n | where isnotempty(domain)\\n | extend parts = split(domain, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column extract hostname and IP address\\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\\n | extend HostName = iif(EntityType == 'host', EntityHostName, '')\\n | extend IP_addr = iif(EntityType == 'ip', EntityAddress, '')\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to SecurityAlert\",\r\n \"description\": \"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\r\n \"name\": \"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Squid proxy events for ToR proxies\",\r\n \"description\": \"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\r\n \"name\": \"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod; \\nlet GitHubFailedSSOLogins = (SigninLogs \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType == 50056); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime) \\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, tostring(set_IPAddress)\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity \\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime > LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Brute Force Attack against GitHub Account\",\r\n \"description\": \"Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\r\n \"name\": \"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"ThreatIntelligence\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Microsoft Threat Intelligence Analytics\",\r\n \"description\": \"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity and are turned ON by default. \\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-15T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\r\n \"name\": \"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where TimeGenerated > ago(timeframe)\\n| where Facility contains 'auth' and ProcessName != 'sudo'\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ > signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nSigninLogs\\n| where TimeGenerated > ago(timeframe)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed host logons but success logon to AzureAD\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\r\n \"name\": \"45b903c5-6f56-4969-af10-ae62ac709718\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare RDP Connections\",\r\n \"description\": \"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-01-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\r\n \"name\": \"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent =\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * 'TicketEncryptionType\\\">' TicketEncryptionType \\\"<\\\" *\\n| where TicketEncryptionType == '0x17'\\n| parse EventData with * 'TicketOptions\\\">' TicketOptions \\\"<\\\" *\\n| where TicketOptions == '0x40810000'\\n| parse EventData with * 'Status\\\">' Status \\\"<\\\" *\\n| where Status == '0x0'\\n| parse EventData with * 'ServiceName\\\">' ServiceName \\\"<\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * 'TargetUserName\\\">' TargetUserName \\\"<\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * 'IpAddress\\\">::ffff:' ClientIPAddress \\\"<\\\" *;\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h < prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated >= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h > prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential Kerberoasting\",\r\n \"description\": \"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\r\n \"name\": \"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n Syslog\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to Syslog\",\r\n \"description\": \"Identifies a match in Syslog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\r\n \"name\": \"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1h;\\nCommonSecurityLog \\n| where TimeGenerated > ago(timeframe) \\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where AdditionalExtensions !has \\\"reason=aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where AdditionalExtensions !has \\\"reason=tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ >= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Palo Alto - possible internal to external port scanning\",\r\n \"description\": \"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\r\n \"name\": \"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe =1d;\\nlet EventCountThreshold = 25;\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ > EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Mass secret retrieval from Azure Key Vault\",\r\n \"description\": \"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\r\n \"name\": \"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.Caller\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, Category, OperationName,\\nOperationNameValue, ActivityStatus, ResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to AzureActivity\",\r\n \"description\": \"Identifies a match in AzureActivity table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\r\n \"name\": \"910124df-913c-47e3-a7cd-29e1643fa55e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where TimeGenerated >= ago(1d)\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ > signin_threshold\\n| summarize make_list(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where TimeGenerated >= ago(1d)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AWS Console logons but success logon to AzureAD\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\r\n \"name\": \"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.UserId\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to OfficeActivity\",\r\n \"description\": \"Identifies a match in OfficeActivity table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\r\n \"name\": \"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" \\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords '}'*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords '}'*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords '}'*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\\\\\')[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malicious Inbox Rule\",\r\n \"description\": \"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\r\n \"name\": \"f2eb15bd-8a88-4b24-9281-e133edfba315\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n SigninLogs | where TimeGenerated >= ago(dt_lookBack)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend Region = tostring(LocationDetails[\\\"countryOrRegion\\\"]), State = tostring(LocationDetails[\\\"state\\\"]), City = tostring(LocationDetails[\\\"city\\\"])\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to SigninLogs\",\r\n \"description\": \"Identifies a match in SigninLogs from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\r\n \"name\": \"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n Syslog\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to Syslog data\",\r\n \"description\": \"Identifies a match in Syslog data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\r\n \"name\": \"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let startdate = 1d;\\nlet threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nlet authfail = Syslog\\n| where TimeGenerated >= ago(startdate) \\n| where Facility =~ \\\"authpriv\\\" // looks at authpriv messages\\n| where SyslogMessage contains \\\"authentication failure\\\" and SyslogMessage contains \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" ExternalIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \\n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\nlet userfail = Syslog \\n| where TimeGenerated >= ago(startdate)\\n| where Facility =~ \\\"authpriv\\\" \\n| where SyslogMessage contains \\\"user unknown\\\"\\n| project TimeGenerated, Computer, HostIP, ProcessID;\\n// Join the two log messages above\\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\\n// Extract the EventTime of the first logon attempt\\nlet firstfail = userauthfail\\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\\n// Extract the EventTime of the last logon attempt\\nlet lastfail = userauthfail\\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\\n// Count the number of failed logon attempts by External IP and internal machine\\nlet totalfails = userauthfail\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\\n// Combine total attempts with timing data from above\\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\\n| order by DestinationHost asc nulls last;\\nfinalfails \\n| where TotalLogonAttempts >= threshold\\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed logon attempts in authpriv\",\r\n \"description\": \"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d645a88-2724-41a7-adea-db74c439cf79\",\r\n \"name\": \"3d645a88-2724-41a7-adea-db74c439cf79\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 5000;\\nSophosXGFirewall\\n| where TimeGenerated >= timeframe\\n| where Log_Type =~ \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\\n| where count_ > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Amount of Denied Connections from a Single Source\",\r\n \"description\": \"This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SophosXGFirewall\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7a58b253-0ef2-4248-b4e5-c350f15a8346\",\r\n \"name\": \"7a58b253-0ef2-4248-b4e5-c350f15a8346\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 100;\\nSymantecProxySG \\n| where TimeGenerated >= timeframe\\n| where sc_filter_result =~ \\\"DENIED\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\\n| where count_ > threshold\\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Denied Proxy Traffic\",\r\n \"description\": \"This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecProxySG\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2954d424-f786-4677-9ffc-c24c44c6e7d5\",\r\n \"name\": \"2954d424-f786-4677-9ffc-c24c44c6e7d5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = ago(3h);\\nlet threshold = 2;\\nOkta_CL\\n| where published_t >= timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"\\n| where outcome_result_s =~ \\\"SUCCESS\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\\n| where NumOfCountries >= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User Login from Different Countries within 3 hours\",\r\n \"description\": \"This query searches for successful user logins to the Okta Console from different countries within 3 hours\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\r\n \"name\": \"19e01883-15d8-4eb6-a7a5-3276cd668388\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeFrame = 1d;\\nlet timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where TimeGenerated >= ago(timeFrame)\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount >= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of failed attempts from same client IP\",\r\n \"description\": \"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4915c713-ab38-432e-800b-8e2d46933de6\",\r\n \"name\": \"4915c713-ab38-432e-800b-8e2d46933de6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.'; \\nlet avgthreshold = 0;\\nlet probabilityLimit = 0.01;\\nlet startime = 7d;\\nlet ssh_logins = Syslog\\n| where TimeGenerated >= ago(startime)\\n| where Facility contains \\\"auth\\\" and ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage) \\n| where isnotempty(SourceIP)\\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\");\\nssh_logins \\n| summarize privatecount=countif(ipType==\\\"private\\\"), publiccount=countif(ipType==\\\"public\\\") by HostName, HostIP, bin(EventTime, 1d)\\n| summarize \\npublicIPLoginHistory = make_list(pack('IPCount', publiccount, 'logon_time', EventTime)),\\nprivateIPLoginHistory = make_list(pack('IPCount', privatecount, 'logon_time', EventTime)) by HostName, HostIP\\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\\n(\\n order by todatetime(publicIPLoginHistory['logon_time']) asc\\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory['IPCount'])), publicAverage=avg(toint(publicIPLoginHistory['IPCount'])), publicStd=stdev(toint(publicIPLoginHistory['IPCount'])), maxPublicLoginCount=max(toint(publicIPLoginHistory['IPCount']))\\n)\\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\\n(\\n order by todatetime(privateIPLoginHistory['logon_time']) asc\\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory['IPCount'])), privateAverage=avg(toint(privateIPLoginHistory['IPCount'])), privateStd=stdev(toint(privateIPLoginHistory['IPCount']))\\n)\\n// Some logins from private IPs\\n| where privateAverage > avgthreshold\\n// There is a non-zero number of logins from public IPs\\n| where publicAverage > avgthreshold\\n// Approximate probability of seeing login from a public IP is < 1%\\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\\n| where probabilityPublic < probabilityLimit\\n// Today has the highest number of logins from public IPs that we've seen in the last week\\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\\n| where publicLoginCountToday >= maxPublicLoginCount\\n| extend HostCustomEntity = HostName\\n// Optionally retrieve the original raw data for those logins that we've identified as potentially suspect\\n// | join kind=rightsemi (\\n// ssh_logins\\n// | where ipType == \\\"public\\\"\\n// ) on HostName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New internet-exposed SSH endpoints\",\r\n \"description\": \"Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\r\n \"name\": \"500c103a-0319-4d56-8e99-3cec8d860757\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookBack = 1d;\\nSigninLogs \\n| where TimeGenerated >= ago(lookBack)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = makeset(UserPrincipalName), \\napplicationSet = makeset(AppDisplayName) by IPAddress\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n SigninLogs\\n | where TimeGenerated >= ago(lookBack)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = makeset(UserPrincipalName, 15) by IPAddress\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount < 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where successfulAccountSigninCount != 0\\n| project StartTimeUtc, EndTimeUtc, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\r\n \"description\": \"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\r\n \"name\": \"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll = \\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime >= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime < ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New UserAgent observed in last 24 hours\",\r\n \"description\": \"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection \\nextracts words from user agents to build the baseline and determine rareity rather than perform a \\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CommandAndControl\",\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\r\n \"name\": \"d3980830-dd9d-40a5-911f-76b44dfdce16\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let RunTime = 1h;\\nSigninLogs\\n| where TimeGenerated > ago(RunTime)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName\\n| where CountOfLocations > 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"GitHub Signin Burst from Multiple Locations\",\r\n \"description\": \"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8675dd7a-795e-4d56-a79c-fc848c5ee61c\",\r\n \"name\": \"8675dd7a-795e-4d56-a79c-fc848c5ee61c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nProofPointTAPClicksPermitted_CL\\n| where TimeGenerated >= timeframe\\n| where classification_s =~ \\\"malware\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s\\n| extend timestamp = StartTime, AccountCustomEntity = Recipient, IPCustomEntity = SenderIPAddress, URLCustomEntity = URLClicked\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware Link Clicked\",\r\n \"description\": \"This query identifies a user clicking on an email link whose threat category is classified as a malware\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointTAP\",\r\n \"dataTypes\": [\r\n \"ProofPointTAPClicksPermitted_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\r\n \"name\": \"2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"eset_CL\\n| where event_type_s == \\\"Threat_Event\\\"\\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\",\r\n \"queryFrequency\": \"PT5M\",\r\n \"queryPeriod\": \"PT5M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Threats detected by Eset\",\r\n \"description\": \"Escalates threats detected by Eset.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"CredentialAccess\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-09T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"EsetSMC\",\r\n \"dataTypes\": [\r\n \"eset_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\r\n \"name\": \"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center\",\r\n \"displayName\": \"Create incidents based on Azure Security Center alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Security Center\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (ASC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\r\n \"name\": \"69b7723c-2889-469f-8b55-a2d355ed9c87\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DnsEvents | where TimeGenerated >= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\n | mvexpand SingleIP\\n | extend SingleIP = tostring(SingleIP)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to DnsEvents\",\r\n \"description\": \"Identifies a match in DnsEvents from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\r\n \"name\": \"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue\\n| project LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, \\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Microsoft COVID-19 file hash indicator matches\",\r\n \"description\": \"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884be6e7-e568-418e-9c12-89229865ffde\",\r\n \"name\": \"884be6e7-e568-418e-9c12-89229865ffde\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet FailureThreshold = 15;\\nlet FailedLogins = Okta_CL\\n| where TimeGenerated > timeframe\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where count_ > FailureThreshold\\n| project client_ipAddress_s, actor_alternateId_s;\\nOkta_CL\\n| where TimeGenerated > timeframe\\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, published_t\\n| sort by published_t desc\\n| extend timestamp = published_t, IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed Logins from Unknown or Invalid User\",\r\n \"description\": \"This query searches for numerous login attempts to the management console with an unknown or invalid user name\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\r\n \"name\": \"84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"eset_CL\\n| where event_type_s == 'FilteredWebsites_Event'\\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\",\r\n \"queryFrequency\": \"PT5M\",\r\n \"queryPeriod\": \"PT5M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Web sites blocked by Eset\",\r\n \"description\": \"Create alert on web sites blocked by Eset.\",\r\n \"tactics\": [\r\n \"Exfiltration\",\r\n \"CommandAndControl\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-09T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"EsetSMC\",\r\n \"dataTypes\": [\r\n \"eset_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\r\n \"name\": \"a04cf847-a832-4c60-b687-b0b6147da219\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where TimeGenerated >= ago(1d) \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where TimeGenerated >= ago(1d) \\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Manganese IP and UserAgent activity\",\r\n \"description\": \"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\r\n \"name\": \"4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = 1d;\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".aspx\\\", \\\".asp\\\", \\\".cfml\\\"]);\\n//The number of URI's seen to be suspicious, higher = less likely to be suspicious\\nlet uriThreshold = 1;\\nCommonSecurityLog\\n| where TimeGenerated >= ago(timeRange)\\n// Only look at connections that were allowed through the web proxy\\n| where DeviceVendor =~ \\\"Zscaler\\\" and DeviceAction =~ \\\"Allowed\\\"\\n// Only look where some data was exchanged.\\n| where SentBytes > 0 and ReceivedBytes > 0\\n// Extract the Domain\\n| extend Domain = iff(countof(DestinationHostName,'.') >= 2, strcat(split(DestinationHostName,'.')[-2], '.',split(DestinationHostName,'.')[-1]), DestinationHostName)\\n| extend GetData=iff(RequestURL == \\\"?\\\", 1, 0)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\\n// Determine the number of URIs that have been visited for the domain\\n| extend destinationURI = arraylength(list_RequestURL)\\n| where destinationURI <= uriThreshold\\n| where tostring(list_RequestURL) has_any(scriptExtensions)\\n//Remove matches with referer\\n| where max_RequestContext == \\\"\\\"\\n//Keep requests where data was trasferred either in a GET with parameters or a POST\\n| where set_RequestMethod in~ (\\\"POST\\\") or max_GetData == 1\\n//Defeat email click tracking, may increase FN's while decreasing FP's\\n| where list_RequestURL !has \\\"click\\\" and set_RequestMethod !has \\\"GET\\\"\\n| mvexpand list_RequestURL, list_DestinationIP\\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\\n//Extend custom entitites for incidents\\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Request for single resource on domain\",\r\n \"description\": \"This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL's delivered in emails. Developed for Zscaler but applicable to any outbound web logging.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\r\n \"name\": \"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Sensitive Azure Key Vault operations\",\r\n \"description\": \"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, KeyDecrypt, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\r\n \"name\": \"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MLBehaviorAnalytics\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Anomalous RDP Login Detections\",\r\n \"description\": \"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Azure Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8266f81-2715-41a6-9062-42486cbc9c73\",\r\n \"name\": \"b8266f81-2715-41a6-9062-42486cbc9c73\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nlet threshold = 200;\\nInfobloxNIOS\\n| where TimeGenerated >= ago(timeframe)\\n| where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n| where isnotempty(ResponseCode)\\n| where ResponseCode =~ \\\"NXDOMAIN\\\"\\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\\n| where count_ > threshold\\n| join kind=inner (InfobloxNIOS\\n | where TimeGenerated >= ago(timeframe)\\n | where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n | where isnotempty(ResponseCode)\\n | where ResponseCode =~ \\\"NXDOMAIN\\\"\\n ) on Client_IP\\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive NXDOMAIN DNS Queries\",\r\n \"description\": \"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"InfobloxNIOS\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\r\n \"name\": \"48607a29-a26a-4abf-8078-a06dbdd174a4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = SigninLogs\\n| where TimeGenerated >= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// collect window threshold breaches\\nSigninLogs\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName\\n| where FailedPrincipalCount >= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\n SigninLogs\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend FullLocation = strcat(Location,'|', LocationDetails.state, '|', LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches\\n| join kind= inner (\\nSigninLogs // get data on success vs. failure history for each IP\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress\\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Password spray attack against Azure AD application\",\r\n \"description\": \"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\r\n \"name\": \"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let TimeFrame = ago(1d);\\nlet Alert1 = \\nSecurityAlert\\n| where TimeGenerated > TimeFrame\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where TimeGenerated > TimeFrame\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff('minute', Alert1Time, Alert2Time)) <=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\r\n \"description\": \"When a user has both an Unfamiliar sign-in properties alert and an Atypical travel alert within 20 minutes, the alert should be handled with a higher severity\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectoryIdentityProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (IPC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\r\n \"name\": \"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 1;\\nAzureDiagnostics\\n | where TimeGenerated >= timeframe\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ >= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Several deny actions registered\",\r\n \"description\": \"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"LateralMovement\",\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\r\n \"name\": \"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Login to AWS Management Console without MFA\",\r\n \"description\": \"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\",\r\n \"PrivilegeEscalation\",\r\n \"Persistence\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\r\n \"name\": \"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe) \\n| where EventID == 4738\\n// 2089 value indicates the Don't Expire Password value has been set\\n| where UserAccountControl has \\\"%%2089\\\" \\n| extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"'Don't Expire Password' - Disabled\\\", \\\"Not Changed\\\")\\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n| extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"'Password Not Required' - Disabled\\\", \\\"Not Changed\\\")\\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n| extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"'Password Not Required' - Enabled\\\", \\\"Not Changed\\\")\\n| project StartTimeUtc = TimeGenerated, EventID, Computer, TargetUserName, TargetDomainName, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"AD account with don't expire password - disabled\",\r\n \"description\": \"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089 \\n%%2089 resolves to \\\"Don't Expire Password - Disabled\\\".\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\r\n \"name\": \"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * '\\\"MemberName\\\">' AccountAdded \\\",OU\\\" * \\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\\nlet AC_Remove = \\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * '\\\"MemberName\\\">' AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff ('second', AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed > 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Account added and removed from privileged groups\",\r\n \"description\": \"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' \",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\r\n \"name\": \"2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 8;\\nCarbonBlackNotifications_CL\\n| where TimeGenerated > timeframe\\n| where threatHunterInfo_score_d >= threshold\\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\\n| project-away count_\\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Critical Threat Detected\",\r\n \"description\": \"This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"VMwareCarbonBlack\",\r\n \"dataTypes\": [\r\n \"CarbonBlackNotifications_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\r\n \"name\": \"26a3b261-b997-4374-94ea-6c37f67f4f39\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where TimeGenerated >= ago(3d)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA1=' SHA1 ',' * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where TimeGenerated >= ago(timeframe)\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known GALLIUM domains and hashes\",\r\n \"description\": \"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\r\n \"name\": \"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated > ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name > threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name > threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare client observed with high reverse DNS lookup count\",\r\n \"description\": \"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\r\n \"name\": \"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationName == \\\"Create role assignment\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ >= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated > ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CorrelationId = makelist(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationName, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious granting of permissions to an account\",\r\n \"description\": \"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\r\n \"name\": \"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Exchange AuditLog disabled\",\r\n \"description\": \"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\r\n \"name\": \"ba144bf8-75b8-406f-9420-ed74397f9479\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet suspicious_signins = \\n SigninLogs\\n | where TimeGenerated >= ago(timeframe)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress != \\\"127.0.0.1\\\"\\n | summarize count() by IPAddress\\n | where count_ > signin_threshold\\n | summarize make_list(IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n | where TimeGenerated > ago(timeframe)\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\\\"User name: ([^,]+)\\\", 1, Message) \\n | extend ClientOS = extract(\\\"Client OS version: ([^,\\\\\\\"]+)\\\", 1, Message)\\n | extend Location = extract(\\\"Source region: ([^,]{2})\\\",1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\r\n \"description\": \"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-09-04T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\r\n \"name\": \"62085097-d113-459f-9ea7-30216f2ee6af\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 2d;\\nlet endtime = 1d;\\nSecurityEvent\\n// include yesterday and not today, so we can confirm a match occurs within the next day\\n| where TimeGenerated >= startofday(ago(starttime)) and TimeGenerated <= startofday(ago(endtime)) \\n// 4722: User Account Enabled\\n| where EventID == 4722 \\n// Removing Machine Accounts\\n| where TargetUserName !endswith \\\"$\\\" \\n| join kind= leftanti (\\n SecurityEvent\\n //verify over the last 2 days\\n | where TimeGenerated >= startofday(ago(starttime))\\n // Attempt made to change password\\n | where EventID == 4723\\n // Removing Machine Accounts\\n | where TargetUserName !endswith \\\"$\\\"\\n) on TargetUserName, TargetDomainName\\n| project StartTimeUtc = TimeGenerated, EventID, Computer, TargetUserName, TargetDomainName, SubjectUserName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P2D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"AD user created password not set within 24-48 hours\",\r\n \"description\": \"Identifies whenever a new account is created with a default password and password is not changed within 24-48 hours.\\nSimple version, can be more precise with Windowing, but not necessary if run as an alert on a daily basis.\\nEffectively, there is an event 4722 indicating a user enabled and no event 4723 indicating a password was changed within in that day or the next day.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\r\n \"name\": \"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount > triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated > ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) > dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri's and/or >=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ > 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated > ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Possible contact with a domain generated by a DGA\",\r\n \"description\": \"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Barracuda\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CheckPoint\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"F5\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\r\n \"name\": \"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet suspicious_signins =\\nSigninLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress != \\\"127.0.0.1\\\"\\n| summarize count() by IPAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons =\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AzureAD logons but success logon to host\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\r\n \"name\": \"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Microsoft Cloud App Security\",\r\n \"displayName\": \"Create incidents based on Microsoft Cloud App Security alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Microsoft Cloud App Security\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (MCAS)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\r\n \"name\": \"80733eb7-35b2-45b6-b2b8-3c51df258206\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where TimeGenerated >= ago(timeframe)\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == '200'\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Squid proxy events related to mining pools\",\r\n \"description\": \"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\r\n \"name\": \"04384937-e927-4595-8f3c-89ff58ed231f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let detectionTime = 30d;\\nlet IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where TimeGenerated > ago(detectionTime)\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != 'UserLoggedIn'\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts > 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\r\n \"queryFrequency\": \"P7D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Possible STRONTIUM attempted credential harvesting\",\r\n \"description\": \"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\r\n \"name\": \"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"Unknown\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": [\r\n {\r\n \"supportedValues\": [\r\n \"Fraction of Failed Signins\",\r\n \"(Log10) Number of Failed Signins\",\r\n \"(Log10) Failed Signins to (Log10) Successful Signins Ratio\",\r\n \"(Log10) Number of Signins with Incorrect Passwords\",\r\n \"(Log10) Incorrect Passwords to (Log10) Correct Passwords Ratio\",\r\n \"Fraction of Incorrect Password Signins\",\r\n \"Distinct Number of App Ids\",\r\n \"Distinct Number of Client Apps\",\r\n \"Distinct Number of Ip Addresses\",\r\n \"Distinct Number of Opperating Systems\",\r\n \"Distinct Number of Browsers\",\r\n \"Distinct Number of Cities\",\r\n \"Distinct Number of States\",\r\n \"Distinct Number of Countries\"\r\n ],\r\n \"values\": [\r\n \"Fraction of Failed Signins\",\r\n \"(Log10) Number of Failed Signins\",\r\n \"(Log10) Failed Signins to (Log10) Successful Signins Ratio\",\r\n \"(Log10) Number of Signins with Incorrect Passwords\",\r\n \"(Log10) Incorrect Passwords to (Log10) Correct Passwords Ratio\",\r\n \"Fraction of Incorrect Password Signins\",\r\n \"Distinct Number of App Ids\",\r\n \"Distinct Number of Client Apps\",\r\n \"Distinct Number of Ip Addresses\",\r\n \"Distinct Number of Opperating Systems\",\r\n \"Distinct Number of Browsers\",\r\n \"Distinct Number of Cities\",\r\n \"Distinct Number of States\",\r\n \"Distinct Number of Countries\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Top Reason for High Reconstruction Error\",\r\n \"description\": \"Include only anomalies where the top reason is one of these values.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0.0\",\r\n \"maximum\": \"1.0\",\r\n \"value\": \"0.5\",\r\n \"name\": \"Reconstruction Error Score\",\r\n \"description\": \"Generate an anomaly when the reconstruction error score is greater than or equal to the chosen value.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Anomalous AAD Signin-Logs Sessions\",\r\n \"description\": \"The signin-logs are grouped into sessions on a per-user basis.\\nAn autoencoder is trained on the previous 6 days worth of sessions and is then applied to sessions from the last 1 day.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\r\n \"name\": \"23de46ea-c425-4a77-b456-511ae4855d69\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic(\\n[\\\"List keys\\\", \\\"List Storage Account Keys\\\", \\\"Register Subscription\\\", \\\"Create or Update Snapshot\\\", \\\"Create or Update Network Security Group\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationName in~ (SensitiveOperationList)\\n| where ActivityStatus =~ \\\"Succeeded\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ >= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated >= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationName\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare subscription-level operations in Azure\",\r\n \"description\": \"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\r\n \"name\": \"074ce265-f684-41cd-af07-613c5f3e6d0d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| extend IPAddress = RemoteIp, Host = Computer)\\n)\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known STRONTIUM group domains - July 2019\",\r\n \"description\": \"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\r\n \"name\": \"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe) \\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetUserName), Domain = toupper(TargetDomainName), CreatedUserSid = TargetSid, AccountUsedToCreateUser = SubjectUserName\\n|join (\\nSecurityEvent \\n| where TimeGenerated > ago(timeframe) \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = TargetUserName, \\nDomain = toupper(TargetDomainName), GroupSid = TargetSid, UserAdded = SubjectUserName, UserAddedSid = SubjectUserSid, CreatedUser = tolower(SubjectUserName), \\nCreatedUserSid = MemberSid\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, Domain, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, UserAdded, UserAddedSid \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New user created and added to the built-in administrators group\",\r\n \"description\": \"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1fa1528e-f746-4794-8a41-14827f4cb798\",\r\n \"name\": \"1fa1528e-f746-4794-8a41-14827f4cb798\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = ago(1h);\\nlet threshold = 100;\\nPulseConnectSecure\\n| where TimeGenerated >= timeframe\\n| where Messages startswith \\\"Login failed\\\"\\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\\n| where dcount_User > threshold\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"PulseConnectSecure - Large Number of Distinct Failed User Logins\",\r\n \"description\": \"This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PulseConnectSecure\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\r\n \"name\": \"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to internet facing AWS RDS Database instances\",\r\n \"description\": \"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\r\n \"name\": \"9713e3c0-1410-468d-b79e-383448434b2d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n VMConnection\\n | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to VMConnection\",\r\n \"description\": \"Identifies a match in VMConnection from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\r\n \"name\": \"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet endpointData = \\n(SecurityEvent\\n | where TimeGenerated >= ago(timeframe) \\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n );\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where TimeGenerated >= ago(timeframe)\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Network endpoint to host executable correlation\",\r\n \"description\": \"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"TrendMicro\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\r\n \"name\": \"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet threshold = 3;\\nSigninLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count(), applicationCount = dcount(AppDisplayName), \\napplicationSet = makeset(AppDisplayName) by UserPrincipalName, IPAddress\\n| where applicationCount >= threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Attempts to sign in to disabled accounts\",\r\n \"description\": \"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\r\n \"name\": \"78422ef2-62bf-48ca-9bab-72c69818a425\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \\nby Account, IpAddress, AccountType, Activity, LogonTypeName\\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account, IpAddress\\n) on Account, IpAddress\\n| extend Ratio = ComputerCountToday/(ComputerCountPrev7Days*1.0)\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio > threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple RDP connections from Single System\",\r\n \"description\": \"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\r\n \"name\": \"40ba9493-4183-4eee-974f-87fe39c8f267\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Azure Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (AATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\r\n \"name\": \"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nlet EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where TimeGenerated > ago(timeframe)\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes made to AWS CloudTrail logs\",\r\n \"description\": \"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\r\n \"name\": \"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known CERIUM domains and hashes\",\r\n \"description\": \"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\r\n \"name\": \"65c78944-930b-4cae-bd79-c3664ae30ba7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n(union isfuzzy=true\\n(AuditLogs \\n| where TimeGenerated >= ago(timeframe) \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"MFA disabled for a user\",\r\n \"description\": \"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to diable MFA for a user \",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\r\n \"name\": \"fbfbf530-506b-49a4-81ad-4030885a195c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated > ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated > ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malicious web application requests linked with MDATP alerts\",\r\n \"description\": \"Takes MDATP alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-05-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftDefenderAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\r\n \"name\": \"2fc5d810-c9cc-491a-b564-841427ae0e50\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailRecipient)\\n| join (\\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName)\\n //Normalizing the column to lower case for exact match with EmailRecipient column\\n | extend TargetUserName = tolower(TargetUserName)\\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\\n | extend SecurityEvent_TimeGenerated = TimeGenerated\\n)\\non $left.EmailRecipient == $right.TargetUserName\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated,\\nEmailSenderName, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SecurityEvent\",\r\n \"description\": \"Identifies a match in SecurityEvent table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\r\n \"name\": \"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeFrame = 1d;\\nlet logonDiff = 10m;\\nSigninLogs \\n| where TimeGenerated >= ago(timeFrame) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1])\\n| join kind= inner (\\n SigninLogs \\n | where TimeGenerated >= ago(timeFrame) \\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription \\n| extend timestamp = SuccessLogonTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SuccessIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Successful logon from IP and failure from a different IP\",\r\n \"description\": \"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\r\n \"name\": \"f845881e-2500-44dc-8ed7-b372af3e1e25\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeFrame = 1d;\\nlet short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n| where TimeGenerated >= ago(timeFrame)\\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount < c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous User Agent connection attempt\",\r\n \"description\": \"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\r\n \"name\": \"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n WireData | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to WireData\",\r\n \"description\": \"Identifies a match in WireData from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(WireData)\",\r\n \"dataTypes\": [\r\n \"WireData\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\r\n \"name\": \"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n W3CIISLog\\n | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nW3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to W3CIISLog\",\r\n \"description\": \"Identifies a match in W3CIISLog from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\r\n \"name\": \"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe) \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where TimeGenerated >= ago(3d)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA256=' SHA265 ',' * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known ZINC related maldoc hash\",\r\n \"description\": \"Document hash used by ZINC in highly targeted spear phishing campaign.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\r\n \"name\": \"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to OfficeActivity\",\r\n \"description\": \"Identifies a match in OfficeActivity from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\r\n \"name\": \"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"0.0.1\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.07\",\r\n \"name\": \"AnomalyScore\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Suspicious volume of logons to computer\",\r\n \"description\": \"This algorithm is to detect unusually high volume of successful logins per each workspace and computer. Successful logins are events with event id 4624.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\r\n \"name\": \"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let detectionTime = 30d;\\nlet User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where TimeGenerated > ago(detectionTime)\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != 'UserLoggedIn'\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts > 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\r\n \"queryFrequency\": \"P7D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"displayName\": \"Possible STRONTIUM attempted credential harvesting\",\r\n \"description\": \"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06107abb-1b68-4fdc-841b-8a1ff9301467\",\r\n \"name\": \"06107abb-1b68-4fdc-841b-8a1ff9301467\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"T1030\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.998\",\r\n \"name\": \"Receive_threshold\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n },\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.998\",\r\n \"name\": \"Send_threshold\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Palo Alto Networks - VPN data transfer anomaly\",\r\n \"description\": \"Data transfer anomaly over Palo Alto Globalprotect VPN session\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\r\n \"name\": \"957cb240-f45d-4491-9ba5-93430a3c08be\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1d;\\nOfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\")\\nand not(UserId has_any ('NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)','devilfish-applicationaccount') and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare and potentially high-risk Office operations\",\r\n \"description\": \"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-13T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\r\n \"name\": \"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nCommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco ASA - threat detection message fired\",\r\n \"description\": \"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\r\n \"name\": \"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1h;\\nlet OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n| where TimeGenerated >= ago(timeframe)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend DisplayName = tostring(parse_json(modifiedProperties).displayName), GroupName = trim(@'\\\"',tostring(parse_json(modifiedProperties).newValue))\\n| extend AppId = tostring(parse_json(parse_json(InitiatedBy).app).appId), InitiatedByDisplayName = tostring(parse_json(parse_json(InitiatedBy).app).displayName), ServicePrincipalId = tostring(parse_json(parse_json(InitiatedBy).app).servicePrincipalId), ServicePrincipalName = tostring(parse_json(parse_json(InitiatedBy).app).servicePrincipalName)\\n| where DisplayName =~ \\\"Role.WellKnownObjectName\\\"\\n| where GroupName in~ (PrivilegedGroups)\\n// If you want to still alert for operations from PIM, remove below filtering for MS-PIM.\\n| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ServicePrincipalName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User added to Azure Active Directory Privileged Groups\",\r\n \"description\": \"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\r\n \"name\": \"dd0a6029-ecef-4507-89c4-fc355ac52111\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated > ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, '.')\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC's that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, '.')\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CSL_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CSL_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to CommonSecurityLog\",\r\n \"description\": \"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\r\n \"name\": \"157c0cfc-d76d-463b-8755-c781608cdc1a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nlet endtime = 1d;\\nCommonSecurityLog\\n| where TimeGenerated >= ago(endtime) \\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where SourceIPType == \\\"public\\\"\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n SigninLogs\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco - firewall block but success logon to Azure AD\",\r\n \"description\": \"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n }\r\n ]\r\n}",
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\r\n \"name\": \"738702fd-0a66-42c7-8586-e30f0583f8fe\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"FileHash\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Algorithm\",\r\n \"columnName\": \"FileHashType\"\r\n },\r\n {\r\n \"identifier\": \"Value\",\r\n \"columnName\": \"FileHashCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"TEARDROP memory-only dropper\",\r\n \"description\": \"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\r\n \"name\": \"69b7723c-2889-469f-8b55-a2d355ed9c87\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DnsEvents | where TimeGenerated >= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\n | mvexpand SingleIP\\n | extend SingleIP = tostring(SingleIP)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to DnsEvents\",\r\n \"description\": \"Identifies a match in DnsEvents from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\r\n \"name\": \"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Login to AWS Management Console without MFA\",\r\n \"description\": \"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\",\r\n \"PrivilegeEscalation\",\r\n \"Persistence\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884be6e7-e568-418e-9c12-89229865ffde\",\r\n \"name\": \"884be6e7-e568-418e-9c12-89229865ffde\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let FailureThreshold = 15;\\nlet FailedLogins = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where count_ > FailureThreshold\\n| project client_ipAddress_s, actor_alternateId_s;\\nOkta_CL\\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, published_t\\n| sort by published_t desc\\n| extend timestamp = published_t, IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed Logins from Unknown or Invalid User\",\r\n \"description\": \"This query searches for numerous login attempts to the management console with an unknown or invalid user name\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\r\n \"name\": \"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let lbtime = 1h;\\nlet tls_ciphers = dynamic(['RC4-SHA', 'DES-CBC3-SHA']);\\nProofpointPOD\\n| where EventType == 'message'\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Weak ciphers\",\r\n \"description\": \"Detects when weak TLS ciphers are used.\",\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_message_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\r\n \"name\": \"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"ZoomLogs \\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == 'false' or EnforceLoginDomain == 'false' or GuestAlerts == 'false' \\n| extend SettingChanged = case(EnforceLogin == 'false' and EnforceLoginDomain == 'false' and GuestAlerts == 'false', \\\"All settings changed\\\", \\n EnforceLogin == 'false' and EnforceLoginDomain == 'false', \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == 'false' and GuestAlerts == 'false', \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == 'false', \\\"Enfored Domains Changed\\\", \\n GuestAlerts == 'false', \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == 'false', \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"External User Access Enabled\",\r\n \"description\": \"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba239935-42c2-472d-80ba-689186099ea1\",\r\n \"name\": \"ba239935-42c2-472d-80ba-689186099ea1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Guessing\\\"\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid Password Guessing\",\r\n \"description\": \"Searches for bruteforce Password Guessing attacks\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\r\n \"name\": \"884c4957-70ea-4f57-80b9-1bca3890315b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"&\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"&\\\")[0]),tostring(split(csUriQuery, \\\"&\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount >= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of failed logons by a user\",\r\n \"description\": \"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\r\n \"name\": \"78979d32-e63f-4740-b206-cfb300c735e0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_IP_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(NetworkIP)\\n| summarize make_list(NetworkIP);\\nProofpointPOD \\n| where TimeGenerated > ago(timeframe)\\n| where isnotempty(SrcIpAddr)\\n| where SrcIpAddr in~ (TI_IP_List)\\n| extend Message = \\\"Email sender IP in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn, SrcIpAddr\\n| extend AccountCustomEntity = SrcUserUpn, IpCustomEntity = SrcIpAddr\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Email sender IP in TI list\",\r\n \"description\": \"Email sender IP in TI list.\",\r\n \"tactics\": [\r\n \"Exfiltration\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-13T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_maillog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\r\n \"name\": \"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName contains \\\"Azure Portal\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Brute force attack against Azure Portal\",\r\n \"description\": \"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\r\n \"name\": \"35a0792a-1269-431e-ac93-7ae2980d4dde\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_email_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(EmailSenderAddress)\\n| summarize make_list(EmailSenderAddress);\\nProofpointPOD \\n| where TimeGenerated > ago(timeframe)\\n| where isnotempty(SrcUserUpn)\\n| where SrcUserUpn in~ (TI_email_List)\\n| extend Message = \\\"Email sender in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Email sender in TI list\",\r\n \"description\": \"Email sender in TI list.\",\r\n \"tactics\": [\r\n \"Exfiltration\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-13T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_maillog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\r\n \"name\": \"62085097-d113-459f-9ea7-30216f2ee6af\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated >= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff('minute', Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min > 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P3D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n },\r\n {\r\n \"identifier\": \"Sid\",\r\n \"columnName\": \"TargetSid\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"AD user enabled and password not set within 48 hours\",\r\n \"description\": \"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\r\n \"name\": \"11b4c19d-2a79-4da3-af38-b067e1273dee\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend NamedPipe = EventDetail.[5].[\\\"#text\\\"]\\n| extend ProcessDetail = EventDetail.[6].[\\\"#text\\\"]\\n| where NamedPipe contains '583da945-62af-10e8-4902-a8f205c72b2e'\\n| extend Account = UserName\\n| project-away EventDetail, EvData\\n),\\n(\\n SecurityEvent\\n| where EventID == '5145'\\n| where AccessList has '%%4418' // presence of CreatePipeInstance value \\n| where RelativeTargetName contains '583da945-62af-10e8-4902-a8f205c72b2e'\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Solorigate Named Pipe\",\r\n \"description\": \"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\r\n \"name\": \"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nAzureActivity\\n| where OperationName in (operationList)\\n| where ActivityStatus == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationName, ActivityStatus, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Creation of expensive computes in Azure\",\r\n \"description\": \"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\r\n \"name\": \"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to OfficeActivity\",\r\n \"description\": \"Identifies a match in OfficeActivity from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\r\n \"name\": \"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to CommonSecurityLog\",\r\n \"description\": \"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\r\n \"name\": \"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"(union isfuzzy=true (SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == 'DS'\\n| where OperationType == 'Object Access'\\n//| where ObjectName contains '= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated >= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Audit policy manipulation using auditpol utility\",\r\n \"description\": \"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceProcessEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\r\n \"name\": \"80733eb7-35b2-45b6-b2b8-3c51df258206\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == '200'\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Squid proxy events related to mining pools\",\r\n \"description\": \"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\r\n \"name\": \"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted > TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"External user added and removed in short timeframe\",\r\n \"description\": \"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-13T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity (Teams)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\r\n \"name\": \"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ >= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High Number of Urgent Vulnerabilities Detected\",\r\n \"description\": \"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"QualysVulnerabilityManagement\",\r\n \"dataTypes\": [\r\n \"QualysHostDetection_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\r\n \"name\": \"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'inbound'\\n| where FilterDisposition !in ('reject', 'discard')\\n| extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']\\n| where attachedMimeType == 'application/zip'\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Binary file in attachment\",\r\n \"description\": \"Detects when email recieved with binary file as attachment.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-13T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_message_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b783df9c-4088-452e-a791-0c4fca47a109\",\r\n \"name\": \"b783df9c-4088-452e-a791-0c4fca47a109\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"T1568\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": [\r\n {\r\n \"prioritize\": null,\r\n \"exclude\": \".lan, .home\",\r\n \"dataType\": \"string\",\r\n \"name\": \"Top level domain\",\r\n \"description\": \"Give comma separated TLDs to exclude from source data within double quotes, example: \\\".lan, .home\\\"\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0.0\",\r\n \"maximum\": \"1.0\",\r\n \"value\": \"0.9\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Domain generation algorithm (DGA) on DNS domains\",\r\n \"description\": \"This machine learning model indicates potential DGA domains in the second-level-domain (SLD) from the last day in the DNS logs.\\nThe algorithm applies to the DNS records that resolve to IPv4 and IPv6 addresses.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\r\n \"name\": \"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SecurityEvent\\n| where EventID == 4688\\n| where Process =~ 'rundll32.exe' \\n| where CommandLine has_all ('Execute','RegRead','window.close')\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\r\n \"description\": \"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\r\n \"name\": \"48607a29-a26a-4abf-8078-a06dbdd174a4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = SigninLogs\\n| where TimeGenerated >= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// collect window threshold breaches\\nSigninLogs\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName\\n| where FailedPrincipalCount >= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\n SigninLogs\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend FullLocation = strcat(Location,'|', LocationDetails.state, '|', LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches\\n| join kind= inner (\\nSigninLogs // get data on success vs. failure history for each IP\\n| where TimeGenerated > ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress\\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Password spray attack against Azure AD application\",\r\n \"description\": \"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\r\n \"name\": \"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount > threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)), \\ntostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType , CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 3,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare application consent\",\r\n \"description\": \"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"LateralMovement\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-04T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\r\n \"name\": \"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount > threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SSH - Potential Brute Force\",\r\n \"description\": \"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\r\n \"name\": \"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Active Directory Identity Protection\",\r\n \"displayName\": \"Create incidents based on Azure Active Directory Identity Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectoryIdentityProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (IPC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\r\n \"name\": \"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to Amazon VPC settings\",\r\n \"description\": \"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\r\n \"tactics\": [\r\n \"PrivilegeEscalation\",\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\r\n \"name\": \"5ef06767-b37c-4818-b035-47de950d0046\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dontnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime <= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential Build Process Compromise\",\r\n \"description\": \"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\r\n \"name\": \"ec21493c-2684-4acd-9bc2-696dbad72426\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated > ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, '.')\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC's that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n | where DeviceVendor =~ 'Palo Alto Networks'\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, '.')\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CSL_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CSL_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to PaloAlto\",\r\n \"description\": \"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\r\n \"name\": \"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic(['vip1@email.com','vip2@email.com']);\\nLAQueryLogs\\n| where QueryText has_any (vips)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Users searching for VIP user activity\",\r\n \"description\": \"This query monitors for users running Log Analytics queries that contain filters \\nfor specific, defined VIP user accounts. Use this detection to alert for users specifically \\nsearching for activity of sensitive users.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\r\n \"name\": \"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.1\",\r\n \"techniques\": [\r\n \"T1030\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.87\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Excessive upload via Palo Alto GlobalProtect\",\r\n \"description\": \"This algorithm detects unusually high volume of upload per user account via Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of upload in the last day.\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\r\n \"name\": \"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n Syslog\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to Syslog\",\r\n \"description\": \"Identifies a match in Syslog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a9956d3a-07a9-44a6-a279-081a85020cae\",\r\n \"name\": \"a9956d3a-07a9-44a6-a279-081a85020cae\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 15;\\nlet rejectedAccess = SymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\\n| where Total > threshold\\n| project ClientIP;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| join kind=inner rejectedAccess() on ClientIP\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ClientDeniedAccess\",\r\n \"description\": \"Creates an incident in the event a Client has an excessive amounts of denied access requests.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecVIP\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\r\n \"name\": \"f2dd4a3a-ebac-4994-9499-1a859938c947\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, 'linefit')\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated > ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB > bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank < 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated > ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB > bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank < 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Time series anomaly for data size transferred to public internet\",\r\n \"description\": \"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\r\n \"name\": \"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n WireData | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to WireData\",\r\n \"description\": \"Identifies a match in WireData from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(WireData)\",\r\n \"dataTypes\": [\r\n \"WireData\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\r\n \"name\": \"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Sensitive Azure Key Vault operations\",\r\n \"description\": \"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\r\n \"name\": \"04384937-e927-4595-8f3c-89ff58ed231f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != 'UserLoggedIn'\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts > 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\r\n \"queryFrequency\": \"P7D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\r\n \"description\": \"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/427e4c9e-8cf4-4094-a684-a2d060dbca38\",\r\n \"name\": \"427e4c9e-8cf4-4094-a684-a2d060dbca38\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 50;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\"\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\\n| where dcount_Dst_Port > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Port Scan Detected\",\r\n \"description\": \"This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SophosXGFirewall\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\r\n \"name\": \"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let cmdTokens0 = dynamic(['vbscript','jscript']);\\nlet cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);\\nlet cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']);\\nSecurityEvent\\n| where TimeGenerated >= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @'\\\\Microsoft\\\\Windows\\\\CurrentVersion'\\n| where not(CommandLine has_any (@'\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run', @'\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce'))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"NOBELIUM - Script payload stored in Registry\",\r\n \"description\": \"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\r\n \"name\": \"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated > ago(2*timeframe) \\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !hassuffix \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated > ago(timeframe) \\n // A user account was disabled \\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime < spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) >= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P2D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n },\r\n {\r\n \"identifier\": \"Sid\",\r\n \"columnName\": \"SIDofAccountUsedToEnable\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account enabled and disabled within 10 mins\",\r\n \"description\": \"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\r\n \"name\": \"707494a5-8e44-486b-90f8-155d1797a8eb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated >= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated >= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent > TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P2D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Credential added after admin consented to Application\",\r\n \"description\": \"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\r\n \"name\": \"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes made to AWS CloudTrail logs\",\r\n \"description\": \"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\r\n \"name\": \"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Azure Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"First access credential added to Application or Service Principal where no credential was present\",\r\n \"description\": \"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\r\n \"name\": \"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = 'FileUploaded';\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic(['exe', 'inf', 'gzip', 'cmd', 'bat']);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated >= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount > threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])\\n| extend UserIdUserFolderFormat = tolower(replace('@|\\\\\\\\.', '_',UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New executable via Office FileUploaded Operation\",\r\n \"description\": \"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes 'exe', 'inf', 'gzip', 'cmd', 'bat' file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\r\n \"name\": \"d804b39c-03a4-417c-a949-bdbf21fa3305\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\");\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\");\\nlet ips = (iocs | where Type =~ \\\"ip\\\");\\nlet domains = (iocs | where Type =~ \\\"domainname\\\");\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * 'SHA256=' SHA256 ',' *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(VMConnection\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp)\\n| where SourceIp in (ips) or DestinationIp in (ips)\\n| extend IPMatch = case( SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nDeviceNetworkEvents\\n| where (RemoteIPType =~ \\\"Public\\\" and RemoteUrl has_any (domains)) or (isnotempty(RemoteIP) and RemoteIP in (ips))\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\nDnsEvents\\n| where SubType =~ \\\"LookupQuery\\\"\\n| where Name has_any (domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\\n)\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\r\n \"description\": \"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-04-01T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(WireData)\",\r\n \"dataTypes\": [\r\n \"WireData\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CheckPoint\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (CheckPoint)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Cisco)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"F5\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (F5)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Fortinet)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (PaloAlto)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"WindowsFirewall\",\r\n \"dataTypes\": [\r\n \"WindowsFirewall\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\r\n \"name\": \"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"// Adjust this to use a longer timeframe to identify ADFS servers\\nlet lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\nlet timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n| where TimeGenerated > ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, '\\\\\\\\', -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName\\n| where EventID in (17,18)\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, '\\\\\\\\', -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ADFS Key Export (Sysmon)\",\r\n \"description\": \"This detection uses Sysmon telemetry to detect potential ADFS certificate material export. \\nIn order to use this query you need to be collecting Sysmon EventIdD 17 and 18.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\r\n \"name\": \"5f0d80db-3415-4265-9d52-8466b7372e3a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps - PAT used with Browser.\",\r\n \"description\": \"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access for use in code or applications. Given this they can be prone to attacker theft if not adequately secured. This queries looks for the use of a PAT in authentication but from a User Agent indicating a browser. This should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\r\n \"name\": \"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SigninLogs | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend Region = tostring(LocationDetails[\\\"countryOrRegion\\\"]), State = tostring(LocationDetails[\\\"state\\\"]), City = tostring(LocationDetails[\\\"city\\\"])\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SigninLogs\",\r\n \"description\": \"Identifies a match in SigninLogs table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\r\n \"name\": \"75bf9902-0789-47c1-a5d8-f57046aa72df\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]);\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware in the recycle bin\",\r\n \"description\": \"Identifies malware that has been hidden in the recycle bin.\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2018-09-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\r\n \"name\": \"23005e87-2d3a-482b-b03d-edbebd1ae151\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated > ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated > ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"HAFNIUM Suspicious Exchange Request\",\r\n \"description\": \"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-02T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0558155e-4556-447e-9a22-828f2a7de06b\",\r\n \"name\": \"0558155e-4556-447e-9a22-828f2a7de06b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"ProofPointTAPMessagesDelivered_CL\\n| mv-expand todynamic(threatsInfoMap_s)\\n| mv-expand todynamic(messageParts_s)\\n| extend threatType = tostring(threatsInfoMap_s.threatType), classification = tostring(threatsInfoMap_s.classification)\\n| extend filename = tostring(messageParts_s.filename)\\n| where threatType =~ \\\"attachment\\\" and classification =~ \\\"malware\\\"\\n| summarize filenames = make_set(filename), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, threatType, classification, Subject = subject_s\\n| extend timestamp = StartTime, AccountCustomEntity = Recipient, IPCustomEntity = SenderIPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware attachment delivered\",\r\n \"description\": \"This query identifies a message containing a malware attachment that was delivered.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointTAP\",\r\n \"dataTypes\": [\r\n \"ProofPointTAPMessagesDelivered_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\r\n \"name\": \"3ff0fffb-d963-40c0-b235-3404f915add7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"GitHub Two Factor Auth Disable\",\r\n \"description\": \"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\r\n \"name\": \"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let servicelist = dynamic(['Services\\\\\\\\HealthService', 'Services\\\\\\\\Sense', 'Services\\\\\\\\WinDefend', 'Services\\\\\\\\MsSecFlt', 'Services\\\\\\\\DiagTrack', 'Services\\\\\\\\SgrmBroker', 'Services\\\\\\\\SgrmAgent', 'Services\\\\\\\\AATPSensorUpdater' , 'Services\\\\\\\\AATPSensor', 'Services\\\\\\\\mpssvc']);\\nlet filename = dynamic([\\\"subinacl.exe\\\",'SetACL.exe']);\\nlet parameters = dynamic (['/deny=SYSTEM', '/deny=S-1-5-18', '/grant=SYSTEM=r', '/grant=S-1-5-18=r', 'n:SYSTEM;p:READ', 'n1:SYSTEM;ta:remtrst;w:dacl']);\\nlet FullAccess = dynamic(['A;CI;KA;;;SY', 'A;ID;KA;;;SY', 'A;CIID;KA;;;SY']);\\nlet ReadAccess = dynamic(['A;CI;KR;;;SY', 'A;ID;KR;;;SY', 'A;CIID;KR;;;SY']);\\nlet DenyAccess = dynamic(['D;CI;KR;;;SY', 'D;ID;KR;;;SY', 'D;CIID;KR;;;SY']);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == 'Key'\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * 'OldSd\\\">' OldSd \\\"<\\\" *\\n| parse EventData with * 'NewSd\\\">' NewSd \\\"<\\\" *\\n| extend Reason = case( (OldSd has ';;;SY' and NewSd !has ';;;SY'), 'System Account is removed', (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , 'System permission has been changed to read from full access', (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), 'System account has been given denied permission', 'None')\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated >= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Security Service Registry ACL Modification\",\r\n \"description\": \"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceProcessEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\r\n \"name\": \"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\r\n \"queryFrequency\": \"PT15M\",\r\n \"queryPeriod\": \"PT15M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"UrlCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Crypto Miner User-Agent Detected\",\r\n \"description\": \"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\r\n \"name\": \"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\r\n \"queryFrequency\": \"P3D\",\r\n \"queryPeriod\": \"P3D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"DeletingUser\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"DeletingIP\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps Pipeline Created and Deleted on the Same Day\",\r\n \"description\": \"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\r\n \"name\": \"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n W3CIISLog\\n | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nW3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to W3CIISLog\",\r\n \"description\": \"Identifies a match in W3CIISLog from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\r\n \"name\": \"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\\nlet GroupCreated = SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n },\r\n {\r\n \"identifier\": \"Sid\",\r\n \"columnName\": \"GroupCreateSubjectUserSid\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Group created then added to built in domain local or global group\",\r\n \"description\": \"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\r\n \"name\": \"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.1\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.7\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Suspicious volume of logins to user account with elevated token\",\r\n \"description\": \"This algorithm detects an unusually high volume of successful logins with elevated token per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-09T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\r\n \"name\": \"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * '(' DNSName ')' * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"DNS\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"DomainName\",\r\n \"columnName\": \"DNSName\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Solorigate Network Beacon\",\r\n \"description\": \"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceNetworkEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\r\n \"name\": \"5436f471-b03d-41cb-b333-65891f887c43\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"query\": \"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"GitHub Security Vulnerability in Repository\",\r\n \"description\": \"This alerts when there is a new security vulnerability in a GitHub repository.\",\r\n \"lastUpdatedDateUTC\": \"2021-01-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\r\n \"name\": \"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org']);\\nlet IPList = dynamic(['185.225.69.69']);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (DomainNames) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"DNS\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"DomainName\",\r\n \"columnName\": \"DNSName\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"NOBELIUM - Domain and IP IOCs - March 2021\",\r\n \"description\": \"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceNetworkEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\r\n \"name\": \"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"Unknown\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": [\r\n {\r\n \"supportedValues\": [\r\n \"Fraction of failed signins\",\r\n \"Number of failed signins\",\r\n \"Failed signins to successful signins ratio\",\r\n \"Number of signins with incorrect passwords\",\r\n \"Incorrect passwords to correct passwords ratio\",\r\n \"Fraction of incorrect password signins\",\r\n \"Distinct number of app ids\",\r\n \"Distinct number of client apps\",\r\n \"Distinct number of ip addresses\",\r\n \"Distinct number of opperating systems\",\r\n \"Distinct number of browsers\",\r\n \"Distinct number of cities\",\r\n \"Distinct number of states\",\r\n \"Distinct number of countries\"\r\n ],\r\n \"values\": [\r\n \"Fraction of failed signins\",\r\n \"Number of failed signins\",\r\n \"Failed signins to successful signins ratio\",\r\n \"Number of signins with incorrect passwords\",\r\n \"Incorrect passwords to correct passwords ratio\",\r\n \"Fraction of incorrect password signins\",\r\n \"Distinct number of app ids\",\r\n \"Distinct number of client apps\",\r\n \"Distinct number of ip addresses\",\r\n \"Distinct number of opperating systems\",\r\n \"Distinct number of browsers\",\r\n \"Distinct number of cities\",\r\n \"Distinct number of states\",\r\n \"Distinct number of countries\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Top reason for high anomaly score\",\r\n \"description\": \"Include only anomalies where the top reason is one of these values.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0.0\",\r\n \"maximum\": \"1.0\",\r\n \"value\": \"0.5\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Anomalous Azure AD sign-in sessions\",\r\n \"description\": \"The machine learning model groups the Azure AD sign-in logs on a per-user basis.\\nThe model is trained on the previous 6 days of user sign-in behavior.\\nIt indicates anomalous user sign-in sessions in the last day.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user sign-in sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\r\n \"name\": \"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to OfficeActivity\",\r\n \"description\": \"Identifies a match in OfficeActivity table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\r\n \"name\": \"1218175f-c534-421c-8070-5dcaabf28067\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount > threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious link sharing pattern\",\r\n \"description\": \"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/154fde9f-ae00-4422-a8da-ef00b11da3fc\",\r\n \"name\": \"154fde9f-ae00-4422-a8da-ef00b11da3fc\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 0\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid Indicators of Exposures\",\r\n \"description\": \"Searches for triggered Indicators of Exposures\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\r\n \"name\": \"f948a32f-226c-4116-bddd-d95e91d97eb9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious application consent similar to O365 Attack Toolkit\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-03T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\r\n \"name\": \"45b903c5-6f56-4969-af10-ae62ac709718\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare RDP Connections\",\r\n \"description\": \"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-01-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\r\n \"name\": \"327cd4ed-ca42-454b-887c-54e1c91363c6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Microsoft Defender Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Microsoft Defender Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Microsoft Defender Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-10-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftDefenderAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (MDATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4915c713-ab38-432e-800b-8e2d46933de6\",\r\n \"name\": \"4915c713-ab38-432e-800b-8e2d46933de6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.'; \\nlet avgthreshold = 0;\\nlet probabilityLimit = 0.01;\\nlet ssh_logins = Syslog\\n| where Facility contains \\\"auth\\\" and ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage) \\n| where isnotempty(SourceIP)\\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\");\\nssh_logins \\n| summarize privatecount=countif(ipType==\\\"private\\\"), publiccount=countif(ipType==\\\"public\\\") by HostName, HostIP, bin(EventTime, 1d)\\n| summarize \\npublicIPLoginHistory = make_list(pack('IPCount', publiccount, 'logon_time', EventTime)),\\nprivateIPLoginHistory = make_list(pack('IPCount', privatecount, 'logon_time', EventTime)) by HostName, HostIP\\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\\n(\\n order by todatetime(publicIPLoginHistory['logon_time']) asc\\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory['IPCount'])), publicAverage=avg(toint(publicIPLoginHistory['IPCount'])), publicStd=stdev(toint(publicIPLoginHistory['IPCount'])), maxPublicLoginCount=max(toint(publicIPLoginHistory['IPCount']))\\n)\\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\\n(\\n order by todatetime(privateIPLoginHistory['logon_time']) asc\\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory['IPCount'])), privateAverage=avg(toint(privateIPLoginHistory['IPCount'])), privateStd=stdev(toint(privateIPLoginHistory['IPCount']))\\n)\\n// Some logins from private IPs\\n| where privateAverage > avgthreshold\\n// There is a non-zero number of logins from public IPs\\n| where publicAverage > avgthreshold\\n// Approximate probability of seeing login from a public IP is < 1%\\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\\n| where probabilityPublic < probabilityLimit\\n// Today has the highest number of logins from public IPs that we've seen in the last week\\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\\n| where publicLoginCountToday >= maxPublicLoginCount\\n| extend HostCustomEntity = HostName\\n// Optionally retrieve the original raw data for those logins that we've identified as potentially suspect\\n// | join kind=rightsemi (\\n// ssh_logins\\n// | where ipType == \\\"public\\\"\\n// ) on HostName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New internet-exposed SSH endpoints\",\r\n \"description\": \"Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\r\n \"name\": \"f041e01d-840d-43da-95c8-4188f6cef546\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor \\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"GitHub Activites from a New Country\",\r\n \"description\": \"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\r\n \"name\": \"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ 'false' and NewE2ESetting =~ 'true'\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Zoom E2E Encryption Disabled\",\r\n \"description\": \"This alerts when end to end encryption is disabled for Zoom meetings.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\r\n \"name\": \"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n DnsEvents\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to DnsEvent\",\r\n \"description\": \"Identifies a match in DnsEvent table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8266f81-2715-41a6-9062-42486cbc9c73\",\r\n \"name\": \"b8266f81-2715-41a6-9062-42486cbc9c73\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 200;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n| where isnotempty(ResponseCode)\\n| where ResponseCode =~ \\\"NXDOMAIN\\\"\\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\\n| where count_ > threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n | where isnotempty(ResponseCode)\\n | where ResponseCode =~ \\\"NXDOMAIN\\\"\\n ) on Client_IP\\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive NXDOMAIN DNS Queries\",\r\n \"description\": \"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"InfobloxNIOS\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\r\n \"name\": \"25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCShadow\\\"\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid DCShadow\",\r\n \"description\": \"Searches for DCShadow attacks\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\r\n \"name\": \"12dcea64-bec2-41c9-9df2-9f28461b1295\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union ( \\n SecurityEvent\\n | where TimeGenerated > ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\r\n \"description\": \"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\r\n \"name\": \"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (ago(starttime)..ago(endtime))\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds > TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents > TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent > PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Palo Alto - potential beaconing detected\",\r\n \"description\": \"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\r\n \"name\": \"2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"eset_CL\\n| where event_type_s == \\\"Threat_Event\\\"\\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\",\r\n \"queryFrequency\": \"PT5M\",\r\n \"queryPeriod\": \"PT5M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Threats detected by Eset\",\r\n \"description\": \"Escalates threats detected by Eset.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"CredentialAccess\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-09T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"EsetSMC\",\r\n \"dataTypes\": [\r\n \"eset_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\r\n \"name\": \"a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-NATIVE-ADM-GROUP-MEMBERS\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-PROTECTED-USERS-GROUP-UNUSED\\\", \\\"C-ADMINCOUNT-ACCOUNT-PROPS\\\", \\\"C-ADM-ACC-USAGE\\\", \\\"C-LAPS-UNSECURE-CONFIG\\\", \\\"C-DISABLED-ACCOUNTS-PRIV-GROUPS\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid privileged accounts issues\",\r\n \"description\": \"Searches for triggered Indicators of Exposures related to privileged accounts issues\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-07T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\r\n \"name\": \"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center\",\r\n \"displayName\": \"Create incidents based on Azure Security Center alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Security Center\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (ASC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\r\n \"name\": \"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n Syslog\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to Syslog data\",\r\n \"description\": \"Identifies a match in Syslog data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\r\n \"name\": \"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"HAFNIUM Suspicious UM Service Error\",\r\n \"description\": \"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-10T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\r\n \"name\": \"26a3b261-b997-4374-94ea-6c37f67f4f39\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA1=' SHA1 ',' * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known GALLIUM domains and hashes\",\r\n \"description\": \"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-26T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3acf5617-7c41-4085-9a79-cc3a425ba83a\",\r\n \"name\": \"3acf5617-7c41-4085-9a79-cc3a425ba83a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"afad_parser\\n| where MessageType == 2 and Codename == \\\"OS Credential Dumping: LSASS Memory\\\"\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid LSASS Memory\",\r\n \"description\": \"Searches for OS Credentials dumping attacks\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\r\n \"name\": \"2560515c-07d1-434e-87fb-ebe3af267760\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Mail.Read Permissions Granted to Application\",\r\n \"description\": \"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\r\n \"name\": \"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, '|', 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\r\n \"description\": \"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\r\n \"name\": \"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let endpointData = \\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, '\\\\\\\\')[-1])\\n );\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Network endpoint to host executable correlation\",\r\n \"description\": \"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"TrendMicro\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\r\n \"name\": \"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let szOperationNames = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationName, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated > ago(endtime)\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatus = makeset(ActivityStatus), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious Resource deployment\",\r\n \"description\": \"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\r\n \"name\": \"fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-ACCOUNTS-DANG-SID-HISTORY\\\", \\\"C-PRE-WIN2000-ACCESS-MEMBERS\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-SLEEPING-ACCOUNTS\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-PASSWORD-NOT-REQUIRED\\\", \\\"C-USER-PASSWORD\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid user accounts issues\",\r\n \"description\": \"Searches for triggered Indicators of Exposures related to user accounts issues\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-07T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\r\n \"name\": \"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated >= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated >= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated >= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Email access via active sync\",\r\n \"description\": \"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn't yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\r\n \"tactics\": [\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceProcessEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29094df8-e0c7-4475-a74c-bda74a07affb\",\r\n \"name\": \"29094df8-e0c7-4475-a74c-bda74a07affb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.1\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.03\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Suspicious volume of logins to user account by logon types\",\r\n \"description\": \"This algorithm detects an unusually high volume of successful logins per user account by different logon types. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-09T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\r\n \"name\": \"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n| join (\\nSecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n },\r\n {\r\n \"identifier\": \"Sid\",\r\n \"columnName\": \"CreatedUserSid\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New user created and added to the built-in administrators group\",\r\n \"description\": \"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/200f05a2-db6e-4ff7-be83-bbc30b44755f\",\r\n \"name\": \"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.2.2\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.07\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Suspicious volume of logins to user account\",\r\n \"description\": \"This algorithm detects an unusually high volume of successful logins per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\r\n \"name\": \"dd0a6029-ecef-4507-89c4-fc355ac52111\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated > ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, '.')\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC's that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, '.')\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CSL_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CSL_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to CommonSecurityLog\",\r\n \"description\": \"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\r\n \"name\": \"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated > ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount > threshold;\\nOfficeActivity \\n| where TimeGenerated > ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SharePointFileOperation via devices with previously unseen user agents\",\r\n \"description\": \"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-01T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\r\n \"name\": \"84cf1d59-f620-4fee-b569-68daf7008b7b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s >= threshold\\n| extend timestamp = StartTime\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"New High Severity Vulnerability Detected Across Multiple Hosts\",\r\n \"description\": \"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"QualysVulnerabilityManagement\",\r\n \"dataTypes\": [\r\n \"QualysHostDetection_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\r\n \"name\": \"157c0cfc-d76d-463b-8755-c781608cdc1a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let PrivateIPregex = @'^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.';\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where SourceIPType == \\\"public\\\"\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n SigninLogs\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco - firewall block but success logon to Azure AD\",\r\n \"description\": \"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\r\n \"name\": \"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known IRIDIUM IP\",\r\n \"description\": \"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-03T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\r\n \"name\": \"a04cf847-a832-4c60-b687-b0b6147da219\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Manganese IP and UserAgent activity\",\r\n \"description\": \"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\r\n \"name\": \"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let logonDiff = 10m;\\nSigninLogs \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1])\\n| join kind= inner (\\n SigninLogs \\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription \\n| extend timestamp = SuccessLogonTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SuccessIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Successful logon from IP and failure from a different IP\",\r\n \"description\": \"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\r\n \"name\": \"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Squid proxy events for ToR proxies\",\r\n \"description\": \"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-12T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\r\n \"name\": \"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated > ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated > ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount > 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal > percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Exchange workflow MailItemsAccessed operation anomaly\",\r\n \"description\": \"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\r\n \"tactics\": [\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\r\n \"name\": \"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to internet facing AWS RDS Database instances\",\r\n \"description\": \"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\r\n \"name\": \"09551db0-e147-4a0c-9e7b-918f88847605\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']);\\nlet SHA256Hash = dynamic(['58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495','e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e','3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9', '0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4', '96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe','dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c', '46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a', '95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008', '9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5', '9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3', 'ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720', 'edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee', '33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998', '3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c', 'b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c', '53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5', '99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777', 'f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef', '2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da', '079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447']);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(DnsEvents\\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend DataType = \\\"DnsEvents\\\", IPAddress = ClientIP\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * 'SHA256=' SHA256 ',' * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known ZINC Comebacker and Klackring malware hashes\",\r\n \"description\": \"ZINC attacks against security researcher campaign malware hashes.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-03T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceProcessEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceFileEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceNetworkEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\r\n \"name\": \"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n| where isnotempty(FileHashValue)\\n| join (\\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map File Hash to Security Event\",\r\n \"description\": \"Identifies a match in Security Event data from any File Hash IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\r\n \"name\": \"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nlet authfail = Syslog\\n| where Facility =~ \\\"authpriv\\\" // looks at authpriv messages\\n| where SyslogMessage contains \\\"authentication failure\\\" and SyslogMessage contains \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" ExternalIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \\n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\nlet userfail = Syslog \\n| where Facility =~ \\\"authpriv\\\" \\n| where SyslogMessage contains \\\"user unknown\\\"\\n| project TimeGenerated, Computer, HostIP, ProcessID;\\n// Join the two log messages above\\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\\n// Extract the EventTime of the first logon attempt\\nlet firstfail = userauthfail\\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\\n// Extract the EventTime of the last logon attempt\\nlet lastfail = userauthfail\\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\\n// Count the number of failed logon attempts by External IP and internal machine\\nlet totalfails = userauthfail\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\\n// Combine total attempts with timing data from above\\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\\n| order by DestinationHost asc nulls last;\\nfinalfails \\n| where TotalLogonAttempts >= threshold\\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed logon attempts in authpriv\",\r\n \"description\": \"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\r\n \"name\": \"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SigninLogs\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = IPAddress\\n| extend URLCustomEntity = ClientAppUsed\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Explicit MFA Deny\",\r\n \"description\": \"User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-26T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\r\n \"name\": \"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != 'UserLoggedIn'\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts > 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\r\n \"queryFrequency\": \"P7D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\r\n \"description\": \"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\r\n \"name\": \"de58ee9e-b229-4252-8537-41a4c2f4045e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'proxylogs'\\n| where DvcAction =~ 'Allowed'\\n| extend file_ext = extract(@'.*(\\\\.\\\\w+)$', 1, UrlOriginal)\\n| extend Filename = extract(@'.*\\\\/*\\\\/(.*\\\\.\\\\w+)$', 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Request to blocklisted file type\",\r\n \"description\": \"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\r\n \"name\": \"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": [\r\n {\r\n \"prioritize\": null,\r\n \"exclude\": \".txt,.jpg,.mp4\",\r\n \"dataType\": \"string\",\r\n \"name\": \"File extension\",\r\n \"description\": \"Give comma separated file extension to exclude from source data within double quotes, example: \\\".txt,.jpg,.mp4\\\"\",\r\n \"sequenceNumber\": 2,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"5\",\r\n \"maximum\": \"100\",\r\n \"value\": \"10\",\r\n \"name\": \"Minimum number of downgrades\",\r\n \"description\": \"Generate an anomaly when number of downgrade label is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Unusual mass downgrade AIP label\",\r\n \"description\": \"This algorithm detects unusual high volume of downgrade label activity in Azure Information Protection (AIP) logs.\\nIt considers \\\"AIP\\\" workload records for a given number of days and determines the sequence of activity performed on documents along with the label applied to classify unusual volume of downgrade activity.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-18T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-18T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureInformationProtection\",\r\n \"dataTypes\": [\r\n \"InformationProtectionLogs_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\r\n \"name\": \"53e936c6-6c30-4d12-8343-b8a0456e8429\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SUNSPOT malware hashes\",\r\n \"description\": \"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceImageLoadEvents\",\r\n \"DeviceEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\r\n \"name\": \"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ADO Build Variable Modified by New User.\",\r\n \"description\": \"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users just detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed modifying them before.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\r\n \"name\": \"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet suspicious_signins =\\nSigninLogs\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress != \\\"127.0.0.1\\\"\\n| summarize count() by IPAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons =\\nSecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AzureAD logons but success logon to host\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\r\n \"name\": \"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": [\r\n {\r\n \"prioritize\": null,\r\n \"exclude\": \".msg,.jpg,.txt\",\r\n \"dataType\": \"string\",\r\n \"name\": \"File extension\",\r\n \"description\": \"Give comma separated file extension to exclude from source data, for example: .txt,.jpg,.mp4\",\r\n \"sequenceNumber\": 2,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.9\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when the error percentile is greater than chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Suspicious number of protected documents accessed\",\r\n \"description\": \"This algorithm is to detect high volume of access to protected documents in Azure Information Protection (AIP) logs. \\nIt considers AIP workload records for a given number of days and determines whether the user performed unusual access to protected documents in a day given his/her historical behavior.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureInformationProtection\",\r\n \"dataTypes\": [\r\n \"InformationProtectionLogs_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\r\n \"name\": \"4a3073ac-7383-48a9-90a8-eb6716183a54\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"FileHash\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Algorithm\",\r\n \"columnName\": \"MD5\"\r\n },\r\n {\r\n \"identifier\": \"Value\",\r\n \"columnName\": \"FileHashCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SUNBURST suspicious SolarWinds child processes\",\r\n \"description\": \"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceProcessEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\r\n \"name\": \"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityEvent\\n| where EventID == 4738\\n// 2089 value indicates the Don't Expire Password value has been set\\n| where UserAccountControl has \\\"%%2089\\\" \\n| extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"'Don't Expire Password' - Enabled\\\", \\\"Not Changed\\\")\\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n| extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"'Password Not Required' - Disabled\\\", \\\"Not Changed\\\")\\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n| extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"'Password Not Required' - Enabled\\\", \\\"Not Changed\\\")\\n| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n },\r\n {\r\n \"identifier\": \"Sid\",\r\n \"columnName\": \"TargetSid\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"AD account with Don't Expire Password\",\r\n \"description\": \"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don't Expire Password - Enabled\\\".\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\r\n \"name\": \"2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 8;\\nCarbonBlackNotifications_CL\\n| where threatHunterInfo_score_d >= threshold\\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\\n| project-away count_\\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Critical Threat Detected\",\r\n \"description\": \"This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"VMwareCarbonBlack\",\r\n \"dataTypes\": [\r\n \"CarbonBlackNotifications_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\r\n \"name\": \"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'outbound'\\n| where NetworkBytes > msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ > msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\r\n \"queryFrequency\": \"PT30M\",\r\n \"queryPeriod\": \"PT30M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Multiple large emails to the same recipient\",\r\n \"description\": \"Detects when multiple emails with lage size where sent to the same recipient.\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-13T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_message_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\r\n \"name\": \"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Starting or Stopping HealthService to Avoid Detection\",\r\n \"description\": \"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-18T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\r\n \"name\": \"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount > triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated > ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) > dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri's and/or >=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ > 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated > ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"DNS\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"DomainName\",\r\n \"columnName\": \"Name\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Possible contact with a domain generated by a DGA\",\r\n \"description\": \"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Barracuda\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CheckPoint\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"F5\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\r\n \"name\": \"78422ef2-62bf-48ca-9bab-72c69818a425\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \\nby Account, IpAddress, AccountType, Activity, LogonTypeName\\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account, IpAddress\\n) on Account, IpAddress\\n| extend Ratio = ComputerCountToday/(ComputerCountPrev7Days*1.0)\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio > threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple RDP connections from Single System\",\r\n \"description\": \"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\r\n \"name\": \"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityAlert | where TimeGenerated >= ago(dt_lookBack)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend SecurityAlert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityAlert_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = SecurityAlert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SecurityAlert\",\r\n \"description\": \"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\r\n \"name\": \"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'outbound'\\n| extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']\\n| where attachedMimeType == 'application/zip'\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ > msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\r\n \"queryFrequency\": \"PT30M\",\r\n \"queryPeriod\": \"PT30M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Multiple archived attachments to the same recipient\",\r\n \"description\": \"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-13T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_message_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\r\n \"name\": \"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n |union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map File Hash to CommonSecurityLog Event\",\r\n \"description\": \"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00282588-11e7-436d-90e8-011256c3c691\",\r\n \"name\": \"00282588-11e7-436d-90e8-011256c3c691\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == 'medium' or modelSeverity_s == 'low'\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Create Incident for XDR Alerts (Medium & Low)\",\r\n \"description\": \"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Azure Sentinel usage. (Medium & Low Serverity Alerts)\",\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"TrendMicroXDR\",\r\n \"dataTypes\": [\r\n \"TrendMicro_XDR_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\r\n \"name\": \"46ac55ae-47b8-414a-8f94-89ccd1962178\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let mode = 'Blocked'; \\nlet successCode = dynamic(['200', '101','204', '400','504','304','401','500']);\\nlet minTime = ago(1d);\\nlet maxSessionWindow = 1h;\\nlet sessionBin = maxSessionWindow/2.0;\\nAzureDiagnostics\\n| where TimeGenerated > minTime\\n| where Category == 'ApplicationGatewayFirewallLog'\\n| where action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by hostname_s, clientIp_s, SessionStarted\\n| extend duration = maxTime - minTime\\n| extend TimeKey = bin(SessionStarted, sessionBin)\\n| join kind = inner(\\nAzureDiagnostics\\n| where TimeGenerated > minTime\\n| where Category == 'ApplicationGatewayAccessLog'\\n| where httpStatus_d in (successCode) or isempty(httpStatus_d)\\n| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey\\n| where (TimeGenerated - SessionStarted) between (0m .. duration)\\n| extend originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\")\\n| extend serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s\\n| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), \\nSuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount\\n| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| where SessionBlockedCount > SuccessfulAccessLogCount\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"A potentially malicious web request was executed against a web server\",\r\n \"description\": \"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-20T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\r\n \"name\": \"4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let scriptExtensions = dynamic([\\\".php\\\", \\\".aspx\\\", \\\".asp\\\", \\\".cfml\\\"]);\\n//The number of URI's seen to be suspicious, higher = less likely to be suspicious\\nlet uriThreshold = 1;\\nCommonSecurityLog\\n// Only look at connections that were allowed through the web proxy\\n| where DeviceVendor =~ \\\"Zscaler\\\" and DeviceAction =~ \\\"Allowed\\\"\\n// Only look where some data was exchanged.\\n| where SentBytes > 0 and ReceivedBytes > 0\\n// Extract the Domain\\n| extend Domain = iff(countof(DestinationHostName,'.') >= 2, strcat(split(DestinationHostName,'.')[-2], '.',split(DestinationHostName,'.')[-1]), DestinationHostName)\\n| extend GetData=iff(RequestURL == \\\"?\\\", 1, 0)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\\n// Determine the number of URIs that have been visited for the domain\\n| extend destinationURI = arraylength(list_RequestURL)\\n| where destinationURI <= uriThreshold\\n| where tostring(list_RequestURL) has_any(scriptExtensions)\\n//Remove matches with referer\\n| where max_RequestContext == \\\"\\\"\\n//Keep requests where data was trasferred either in a GET with parameters or a POST\\n| where set_RequestMethod in~ (\\\"POST\\\") or max_GetData == 1\\n//Defeat email click tracking, may increase FN's while decreasing FP's\\n| where list_RequestURL !has \\\"click\\\" and set_RequestMethod !has \\\"GET\\\"\\n| mvexpand list_RequestURL, list_DestinationIP\\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\\n//Extend custom entitites for incidents\\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Request for single resource on domain\",\r\n \"description\": \"This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL's delivered in emails. Developed for Zscaler but applicable to any outbound web logging.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\r\n \"name\": \"155f40c6-610d-497d-85fc-3cf06ec13256\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DestinationIPAddress in (IPList) or DNSName in~ (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPCustomEntity = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Phosphorus group domains/IP\",\r\n \"description\": \"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-03T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8675dd7a-795e-4d56-a79c-fc848c5ee61c\",\r\n \"name\": \"8675dd7a-795e-4d56-a79c-fc848c5ee61c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"ProofPointTAPClicksPermitted_CL\\n| where classification_s =~ \\\"malware\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s\\n| extend timestamp = StartTime, AccountCustomEntity = Recipient, IPCustomEntity = SenderIPAddress, URLCustomEntity = URLClicked\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malware Link Clicked\",\r\n \"description\": \"This query identifies a user clicking on an email link whose threat category is classified as a malware\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointTAP\",\r\n \"dataTypes\": [\r\n \"ProofPointTAPClicksPermitted_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\r\n \"name\": \"fbfbf530-506b-49a4-81ad-4030885a195c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated > ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated > ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\r\n \"description\": \"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-05-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftDefenderAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\r\n \"name\": \"0bd65651-1404-438b-8f63-eecddcec87b4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nEvent\\n| where TimeGenerated > ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, '\\\\\\\\', -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n| union isfuzzy=true (\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has 'wmiprvse.exe'\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any ('rundll32') \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated > ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring(['@Name']), Value=['#text']\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Gain Code Execution on ADFS Server via Remote WMI Execution\",\r\n \"description\": \"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\r\n \"name\": \"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^']*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"HAFNIUM Suspicious File Downloads.\",\r\n \"description\": \"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-10T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\r\n \"name\": \"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Exchange AuditLog disabled\",\r\n \"description\": \"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\r\n \"name\": \"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\nSecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * '\\\"MemberName\\\">' AccountAdded \\\",OU\\\" * \\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\\nlet AC_Remove = \\nSecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * '\\\"MemberName\\\">' AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff ('second', AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed > 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Account added and removed from privileged groups\",\r\n \"description\": \"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.' \",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\r\n \"name\": \"472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-CLEARTEXT-PASSWORD\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-USER-REVER-PWDS\\\", \\\"C-PASSWORD-POLICY\\\", \\\"C-USER-PASSWORD\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-AAD-SSO-PASSWORD\\\", \\\"C-REVER-PWD-GPO\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid Password issues\",\r\n \"description\": \"Searches for triggered Indicators of Exposures related to password issues\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-07T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\r\n \"name\": \"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookback = 14d;\\nlet timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated > ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"HAFNIUM New UM Service Child Process\",\r\n \"description\": \"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-02T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\r\n \"name\": \"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookBack_long = 14d;\\nlet lookBack_med = 7d;\\nlet lookBack = 1d;\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack_long))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope > 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack_med))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n| top 50 by Slope desc\\n| where Slope > 0.3\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\nSigninLogs\\n| where TimeGenerated >= startofday(ago(lookBack))\\n| extend locationString = strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n| where Slope > 5\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous sign-in location by user account and authenticating application\",\r\n \"description\": \"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 7-day and 14-day periods.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\r\n \"name\": \"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco ASA - average attack detection rate increase\",\r\n \"description\": \"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\r\n \"name\": \"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" \\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords '}'*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords '}'*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords '}'*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\\\\\')[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malicious Inbox Rule\",\r\n \"description\": \"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\r\n \"name\": \"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"AzureActivity\\n| extend message = tostring(parse_json(Properties).message)\\n| extend AppId = tostring(parse_json(Claims).appid)\\n| where AppId contains \\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\"\\n| where OperationName =~ \\\"Microsoft.Portal/consoles/write\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New CloudShell User\",\r\n \"description\": \"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\r\n \"name\": \"cf3ede88-a429-493b-9108-3e46d3c741f7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated > ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess >= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"PT6H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SecurityEvent - Multiple authentication failures followed by a success\",\r\n \"description\": \"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7a58b253-0ef2-4248-b4e5-c350f15a8346\",\r\n \"name\": \"7a58b253-0ef2-4248-b4e5-c350f15a8346\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let threshold = 100;\\nSymantecProxySG \\n| where sc_filter_result =~ \\\"DENIED\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\\n| where count_ > threshold\\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Denied Proxy Traffic\",\r\n \"description\": \"This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecProxySG\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\r\n \"name\": \"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 3;\\nSigninLogs\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count(), applicationCount = dcount(AppDisplayName), \\napplicationSet = makeset(AppDisplayName) by UserPrincipalName, IPAddress\\n| where applicationCount >= threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Attempts to sign in to disabled accounts\",\r\n \"description\": \"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\r\n \"name\": \"32555639-b639-4c2b-afda-c0ae0abefa55\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Monitor AWS Credential abuse or hijacking\",\r\n \"description\": \"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\r\n \"name\": \"910124df-913c-47e3-a7cd-29e1643fa55e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ > signin_threshold\\n| summarize make_list(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AWS Console logons but success logon to AzureAD\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\r\n \"name\": \"fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SymantecProxySG\\n| mv-expand cs_categories\\n| where cs_categories has_any (\\\"Suspicious\\\",\\\"phishing\\\", \\\"hacking\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User Accessed Suspicious URL Categories\",\r\n \"description\": \"Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecProxySG\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\r\n \"name\": \"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let s_threshold = 30;\\nlet l_threshold = 3;\\nSigninLogs\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser \\n| extend LocationString= strcat(tostring(LocationDetails[\\\"countryOrRegion\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"state\\\"]), \\\"/\\\", tostring(LocationDetails[\\\"city\\\"]))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated),LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount > s_threshold and LocationCount >= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Distributed Password cracking attempts in AzureAD\",\r\n \"description\": \"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\r\n \"name\": \"ef88eb96-861c-43a0-ab16-f3835a97c928\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\\\$Volume){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nlet decodedPS = ProcessCreationEvents\\n| where CommandLine contains \\\" -encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, ' ')[0]), CommandLine\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate('\\\\0','', base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\\n(decodedPS\\n| union \\n(ProcessCreationEvents\\n| where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\")\\n| where CommandLine !contains \\\"-encodedcommand\\\")\\n| extend StartTimeUtc = TimeGenerated\\n)\\n| where CommandLine matches regex regexEmpire\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Powershell Empire cmdlets seen in command line\",\r\n \"description\": \"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\r\n \"name\": \"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated > ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld > threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld > threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P10D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential DGA detected\",\r\n \"description\": \"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\r\n \"name\": \"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key =tostring(['@Name']), Value = ['#text']\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\r\n \"description\": \"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-18T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-18T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\r\n \"name\": \"5efb0cfd-063d-417a-803b-562eae5b0301\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated >= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName ' (Organization)'\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount > ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_build?definitionId=', DefId),\\nstrcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', DefId))\\n| where CurrentCount >= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\r\n \"queryFrequency\": \"PT6H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps Service Conection Addition/Abuse - Historic Allowlist\",\r\n \"description\": \"This detection builds a allowlist of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use in non manually allowlisted, non historically allowlisted Build/Release runs.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\r\n \"name\": \"4ca74dc0-8352-4ac5-893c-73571cc78331\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps - Variable Secret Not Secured\",\r\n \"description\": \"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as secrets. This detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-18T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\r\n \"name\": \"2b701288-b428-4fb8-805e-e4372c574786\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60min; \\n//Get Teams successful signins globally\\nlet signinData =\\n SigninLogs\\n | where AppDisplayName has \\\"Teams\\\"\\n | where ConditionalAccessStatus =~ \\\"success\\\"\\n | extend country = tostring(LocationDetails['countryOrRegion'])\\n | where isnotempty(country) and isnotempty(IPAddress);\\n// Collect successful signins to teams\\nlet loginEvents = \\n signinData\\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n//Calcualte delta between logins\\nlet loginDelta =\\n loginEvents\\n | summarize max(count_), min(count_) by UserPrincipalName\\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\\n | where delta >= deltaThreshold;\\n//Count number of countries used to sign in\\nlet countryCount =\\n loginEvents\\n | summarize Countries = dcount(country) by UserPrincipalName;\\n//Join delta and sign in counts to successful logins\\nloginDelta\\n| join kind=rightouter (\\n loginEvents\\n) on UserPrincipalName\\n| join kind=rightouter (\\n countryCount\\n) on UserPrincipalName\\n//Check where the record meets the minimum required countries\\n| where Countries >= minimumCountries\\n| join kind=leftouter (\\n signinData\\n | summarize count() by country\\n | join (\\n //Now get the total number of logins from any country and join it to the previous count in a single table\\n signinData\\n | summarize count() by country\\n | summarize sum(count_), make_list(country)\\n | mv-expand list_country\\n | extend country = tostring(list_country)\\n ) on country\\n | summarize by country, count_, sum_count_\\n //Now calculate each countries prevalence within login events\\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\\n | project-away sum_count_\\n | order by prevalence\\n) on country\\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\\n| where prevalence < countryPrevalenceThreshold\\n| where min_count_ == count_\\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\\n| extend EventTimes = list_TimeGenerated\\n| extend SuspiciousIP = IPAddress\\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\\n//Teams join to collect operations the user account has performed within the given time range\\n| join kind=inner( \\n OfficeActivity\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\\n) on $left.UserPrincipalName == $right.UserId\\n| mv-expand StartTime = EventTimes\\n| extend StartTime = make_datetime(StartTime)\\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\\n//Limit to operations carried out by the user account in the timeframe the IP was active\\n| where OperationTime between (StartTime .. ProjectedEndTime)\\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n//Filter on suspicious actions\\n| extend activitySummary = pack(tostring(StartTime), pack(\\\"Operation\\\",tostring(Operation), \\\"OperationTime\\\", OperationTime))\\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous login followed by Teams action\",\r\n \"description\": \"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\r\n \"name\": \"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'proxylogs'\\n| where DvcAction =~ 'Allowed'\\n| where UrlCategory has_any ('Dynamic and Residential', 'Personal VPN')\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Connection to non-corporate private network\",\r\n \"description\": \"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-29T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\r\n \"name\": \"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"UrlCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Connection to Unpopular Website Detected\",\r\n \"description\": \"Detects first connection to an unpopular website (possible malicious payload delivery).\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c775a46b-21b1-46d7-afa6-37e3e577a27b\",\r\n \"name\": \"c775a46b-21b1-46d7-afa6-37e3e577a27b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 15;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\\n| where Total > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Failed Authentication from Invalid Inputs\",\r\n \"description\": \"Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SymantecVIP\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a602940-4153-4045-a741-3bf15591ae29\",\r\n \"name\": \"8a602940-4153-4045-a741-3bf15591ae29\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.2.2\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.4\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Attempted computer bruteforce\",\r\n \"description\": \"This algorithm detects an unusually high volume of failed login attempts to each computer. The model is trained on the previous 21 days of security event ID 4625 on a computer. It indicates anomalous high volume of failed login attempts in the last day.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\r\n \"name\": \"106813db-679e-4382-a51b-1bfc463befc3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime > ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ 'url'\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim('\\\"', PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat('http://', PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat('https://', PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CSL_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CSL_TimeGenerated, PA_Url, DeviceName\\n| extend timestamp = CSL_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to PaloAlto data\",\r\n \"description\": \"Identifies a match in PaloAlto data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\r\n \"name\": \"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod; \\nlet GitHubFailedSSOLogins = (SigninLogs \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime) \\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime)\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime > LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Brute Force Attack against GitHub Account\",\r\n \"description\": \"Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-20T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\r\n \"name\": \"f71aba3d-28fb-450b-b192-4e76a83015c8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Fusion\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"displayName\": \"Advanced Multistage Attack Detection\",\r\n \"description\": \"Using Fusion technology based on machine learning, Azure Sentinel automatically detects multistage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nThere are a total of 90 Fusion incident types detected by Azure Sentinel.\\n\\nTo detect these multistage attacks, the following data connectors must be configured:\\n- Azure Active Directory Identity Protection.\\n- Microsoft Cloud App Security.\\n- Microsoft Defender for Endpoint.\\n- Azure Defender.\\n- Palo Alto Networks.\\n\\nFor a full list and description of each scenario that is supported for these multistage attacks, go to https://aka.ms/SentinelFusion.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"CommandAndControl\",\r\n \"DefenseEvasion\",\r\n \"Discovery\",\r\n \"Execution\",\r\n \"Exfiltration\",\r\n \"Impact\",\r\n \"InitialAccess\",\r\n \"LateralMovement\",\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-09T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\r\n \"name\": \"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 10m;\\nlet disallowed_ext = dynamic(['ps1', 'exe', 'vbs', 'js', 'scr']);\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'inbound'\\n| where FilterDisposition !in ('reject', 'discard')\\n| extend attachedExt = todynamic(MsgParts)[0]['detectedExt']\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Suspicious attachment\",\r\n \"description\": \"Detects when email contains suspicious attachment (file type).\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-13T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_message_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\r\n \"name\": \"643c2025-9604-47c5-833f-7b4b9378a1f5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet Suspicious_signins = \\nSigninLogs\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress != \\\"127.0.0.1\\\"\\n| summarize count() by IPAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed AzureAD logons but success logon to AWS Console\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\r\n \"name\": \"2fc5d810-c9cc-491a-b564-841427ae0e50\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend TargetUserName = tolower(TargetUserName)\\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\\n | extend SecurityEvent_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to SecurityEvent\",\r\n \"description\": \"Identifies a match in SecurityEvent table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\r\n \"name\": \"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MLBehaviorAnalytics\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Anomalous SSH Login Detection\",\r\n \"description\": \"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Azure Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Azure Sentinel workspace’s geography as necessary for processing by the machine learning engine.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-26T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\r\n \"name\": \"8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 14d;\\nlet time_generated_bucket = 1h;\\nlet min_urgency = 9;\\nlet maxTimeGeneratedBucket = toscalar(\\n CyberpionActionItems_CL\\n | where TimeGenerated > ago(timeframe)\\n | summarize max(bin(TimeGenerated, time_generated_bucket))\\n );\\nCyberpionActionItems_CL\\n | where TimeGenerated > ago(timeframe) and is_open_b == true\\n | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket\\n | where urgency_d >= min_urgency\\n | extend timestamp = opening_datetime_t\\n | extend DNSCustomEntity = host_s\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"DNS\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"DomainName\",\r\n \"columnName\": \"DNSCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High Urgency Cyberpion Action Items\",\r\n \"description\": \"This query creates an alert for active Cyberpion Action Items with high urgency (9-10).\\n Urgency can be altered using the \\\"min_urgency\\\" variable in the query.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-26T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CyberpionSecurityLogs\",\r\n \"dataTypes\": [\r\n \"CyberpionActionItems_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\r\n \"name\": \"40ba9493-4183-4eee-974f-87fe39c8f267\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Azure Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (AATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\r\n \"name\": \"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.2.2\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.1\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Attempted user account bruteforce\",\r\n \"description\": \"This algorithm detects an unusually high volume of failed login attempts per user account. The model is trained on the previous 21 days of security event ID 4625 on an account. It indicates anomalous high volume of failed login attempts in the last day.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\r\n \"name\": \"d3980830-dd9d-40a5-911f-76b44dfdce16\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SigninLogs\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName\\n| where CountOfLocations > 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"GitHub Signin Burst from Multiple Locations\",\r\n \"description\": \"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\r\n \"name\": \"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"FileHash\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Algorithm\",\r\n \"columnName\": \"MD5\"\r\n },\r\n {\r\n \"identifier\": \"Value\",\r\n \"columnName\": \"FileHashCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SUNBURST and SUPERNOVA backdoor hashes\",\r\n \"description\": \"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-31T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceFileEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\r\n \"name\": \"ba144bf8-75b8-406f-9420-ed74397f9479\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet suspicious_signins = \\n SigninLogs\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress != \\\"127.0.0.1\\\"\\n | summarize count() by IPAddress\\n | where count_ > signin_threshold\\n | summarize make_list(IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\\\"User name: ([^,]+)\\\", 1, Message) \\n | extend ClientOS = extract(\\\"Client OS version: ([^,\\\\\\\"]+)\\\", 1, Message)\\n | extend Location = extract(\\\"Source region: ([^,]{2})\\\",1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\r\n \"description\": \"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-09-04T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f86885f-f31f-4e66-a39d-352771ee789e\",\r\n \"name\": \"9f86885f-f31f-4e66-a39d-352771ee789e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"CarbonBlackEvents_CL\\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\\n| where targetApp_effectiveReputation_s =~ \\\"KNOWN_MALWARE\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Malware Detected\",\r\n \"description\": \"This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"VMwareCarbonBlack\",\r\n \"dataTypes\": [\r\n \"CarbonBlackEvents_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\r\n \"name\": \"957cb240-f45d-4491-9ba5-93430a3c08be\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\")\\nand not(UserId has_any ('NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)','devilfish-applicationaccount') and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare and potentially high-risk Office operations\",\r\n \"description\": \"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Collection\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-13T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\r\n \"name\": \"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.2.2\",\r\n \"techniques\": [\r\n \"T1001\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.07\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 1,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Suspicious volume of logins to computer\",\r\n \"description\": \"This algorithm detects an unusually high volume of successful logins per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins in the last day\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\r\n \"name\": \"44a555d8-ecee-4a25-95ce-055879b4b14b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount >= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of connections by client IP on many ports\",\r\n \"description\": \"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\r\n \"name\": \"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Office policy tampering\",\r\n \"description\": \"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\r\n \"name\": \"ab4b6944-a20d-42ab-8b63-238426525801\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated >= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated >= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated >= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"HostName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"DNS\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"DomainName\",\r\n \"columnName\": \"DNSName\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Process\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"ProcessId\",\r\n \"columnName\": \"FirstPid\"\r\n },\r\n {\r\n \"identifier\": \"CommandLine\",\r\n \"columnName\": \"CommandLine\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"File\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Directory\",\r\n \"columnName\": \"DirectoryName\"\r\n },\r\n {\r\n \"identifier\": \"Name\",\r\n \"columnName\": \"Filename\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Solorigate Domains Found in VM Insights\",\r\n \"description\": \"Identifies connections to Solorigate-related DNS records based on VM insights data\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMProcess\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMComputer\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\r\n \"name\": \"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to AWS Elastic Load Balancer security groups\",\r\n \"description\": \"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\r\n \"name\": \"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"THALLIUM domains included in DCU takedown\",\r\n \"description\": \"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-26T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-01-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\r\n \"name\": \"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"W3CIISLog\\n| where csMethod == 'GET'\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SUPERNOVA webshell\",\r\n \"description\": \"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\r\n \"name\": \"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode('base64')\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Process executed from binary hidden in Base64 encoded file\",\r\n \"description\": \"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\r\n \"name\": \"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n AuditLogs\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nAudit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to AuditLogs\",\r\n \"description\": \"Identifies a match in AuditLogs from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\r\n \"name\": \"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dontnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated > ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated > ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime <= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential Build Process Compromise - MDE\",\r\n \"description\": \"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceProcessEvents\",\r\n \"DeviceFileEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\r\n \"name\": \"4b93c5af-d20b-4236-b696-a28b8c51407f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated > ago(2*timeframe) \\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated > ago(timeframe) \\n // A user account was deleted \\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime < spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) >= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P2D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n },\r\n {\r\n \"identifier\": \"Sid\",\r\n \"columnName\": \"SIDofAccountUsedToCreate\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account created and deleted within 10 mins\",\r\n \"description\": \"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\r\n \"name\": \"23de46ea-c425-4a77-b456-511ae4855d69\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic(\\n[\\\"List keys\\\", \\\"List Storage Account Keys\\\", \\\"Register Subscription\\\", \\\"Create or Update Snapshot\\\", \\\"Create or Update Network Security Group\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationName in~ (SensitiveOperationList)\\n| where ActivityStatus =~ \\\"Succeeded\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ >= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated >= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationName\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare subscription-level operations in Azure\",\r\n \"description\": \"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\r\n \"name\": \"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'inbound'\\n| where FilterDisposition !in ('reject', 'discard')\\n| where FilterModulesSpamScoresOverall == '100'\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - High risk message not discarded\",\r\n \"description\": \"Detects when email with high risk score was not rejected or discarded by filters.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_message_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/16d55bbb-8c54-4c1d-8537-521824e76bb6\",\r\n \"name\": \"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.0\",\r\n \"techniques\": [\r\n \"Unknown\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": [\r\n {\r\n \"supportedValues\": [\r\n \"Distinct number of operations\",\r\n \"Distinct number of ClientInfoString\",\r\n \"Distinct number of mailboxes\",\r\n \"Number of operations\",\r\n \"Distinct number of IP addresses\",\r\n \"Distinct number of /24 subnets\",\r\n \"Distinct number of /16 subnets\",\r\n \"Number of MessageBind operations\",\r\n \"Number of FolderBind operations\",\r\n \"Number of UpdateInboxRules operations\",\r\n \"Number of MailItemsAccessed operations\"\r\n ],\r\n \"values\": [\r\n \"Distinct number of operations\",\r\n \"Distinct number of ClientInfoString\",\r\n \"Distinct number of mailboxes\",\r\n \"Number of operations\",\r\n \"Distinct number of IP addresses\",\r\n \"Distinct number of /24 subnets\",\r\n \"Distinct number of /16 subnets\",\r\n \"Number of MessageBind operations\",\r\n \"Number of FolderBind operations\",\r\n \"Number of UpdateInboxRules operations\",\r\n \"Number of MailItemsAccessed operations\"\r\n ],\r\n \"supportedValuesKql\": null,\r\n \"valuesKql\": null,\r\n \"name\": \"Top reason for high anomaly score\",\r\n \"description\": \"Include only anomalies where the top reason is one of these values.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"RerunAlways\"\r\n }\r\n ],\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0.0\",\r\n \"maximum\": \"1.0\",\r\n \"value\": \"0.6\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Anomalous user activities in Office Exchange\",\r\n \"description\": \"This machine learning model groups the Office Exchange logs on a per-user basis into hourly buckets. We define one\\nhour as a session. The model is trained on the previous 7 days of behavior across all regular (non-admin) users.\\nIt indicates anomalous user Office Exchange sessions in the last day.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user Office Exchange sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-04T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity (Exchange)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\r\n \"name\": \"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ >= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 1,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Several deny actions registered\",\r\n \"description\": \"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"LateralMovement\",\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57e56fc9-417a-4f41-a579-5475aea7b8ce\",\r\n \"name\": \"57e56fc9-417a-4f41-a579-5475aea7b8ce\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 1000;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\\n| where count_ > threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n ) on ServerIP\\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential DHCP Starvation Attack\",\r\n \"description\": \"This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"InfobloxNIOS\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\r\n \"name\": \"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"ThreatIntelligence\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Microsoft Threat Intelligence Analytics\",\r\n \"description\": \"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity and are turned ON by default. \\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-09-15T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\r\n \"name\": \"e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let FailureThreshold = 15;\\nlet FailedEvents = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where dcount_actor_alternateId_s > FailureThreshold\\n| project client_ipAddress_s, TimeGenerated;\\nOkta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\\n| sort by TimeGenerated desc\\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential Password Spray Attack\",\r\n \"description\": \"This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\r\n \"name\": \"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in ('0x2','0x100', '0x10', '0x4')),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"InitiatingProcessAccountUpn\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"DeviceName\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"HAFNIUM UM Service writing suspicious file\",\r\n \"description\": \"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-08T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-03-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceFileEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3c658bd-8da9-4372-82e4-aaffa922f428\",\r\n \"name\": \"d3c658bd-8da9-4372-82e4-aaffa922f428\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCSync\\\"\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid DCSync\",\r\n \"description\": \"Searches for DCSync attacks\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\r\n \"name\": \"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent =\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * 'TicketEncryptionType\\\">' TicketEncryptionType \\\"<\\\" *\\n| where TicketEncryptionType == '0x17'\\n| parse EventData with * 'TicketOptions\\\">' TicketOptions \\\"<\\\" *\\n| where TicketOptions == '0x40810000'\\n| parse EventData with * 'Status\\\">' Status \\\"<\\\" *\\n| where Status == '0x0'\\n| parse EventData with * 'ServiceName\\\">' ServiceName \\\"<\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * 'TargetUserName\\\">' TargetUserName \\\"<\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * 'IpAddress\\\">::ffff:' ClientIPAddress \\\"<\\\" *;\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h < prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated >= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h > prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Potential Kerberoasting\",\r\n \"description\": \"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\r\n \"name\": \"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated > ago(timeframe)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure Key Vault access TimeSeries anomaly\",\r\n \"description\": \"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\r\n \"name\": \"500415fb-bba7-4227-a08a-9857fb61b6a7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| extend p = parse_json(Parameters)\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\n \\\"Unknown\\\"\\n ) \\n| mvexpand p\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\n| extend RedirectTo = p.Value\\n| extend ClientIPOnly = case( \\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"-\\\")[0]), \\n ClientIP has \\\"[\\\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\n ClientIP\\n ) \\n| extend Port = case(\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP,\\\":\\\")[1]),\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP,\\\"-\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"]-\\\")[1]),\\n ClientIP\\n )\\n| extend ClientIP = ClientIPOnly\\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Mail redirect via ExO transport rule\",\r\n \"description\": \"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-05-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\r\n \"name\": \"f845881e-2500-44dc-8ed7-b372af3e1e25\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount < c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Anomalous User Agent connection attempt\",\r\n \"description\": \"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\r\n \"name\": \"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$';\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, Category, OperationName,\\nOperationNameValue, ActivityStatus, ResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Email entity to AzureActivity\",\r\n \"description\": \"Identifies a match in AzureActivity table from any Email IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\r\n \"name\": \"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 0\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps - Retention Reduced to Zero\",\r\n \"description\": \"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs to 0.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\r\n \"name\": \"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace('\\\"','',newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = initByApp.servicePrincipalId,\\nServicePrincipalName = initByApp.servicePrincipalName,\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = initByUser.userPrincipalName\\n//| where GroupName in~ (PrivilegedGroups)\\n// If you want to still alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User added to Azure Active Directory Privileged Groups\",\r\n \"description\": \"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-25T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\r\n \"name\": \"500c103a-0319-4d56-8e99-3cec8d860757\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SigninLogs \\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = makeset(UserPrincipalName), \\napplicationSet = makeset(AppDisplayName) by IPAddress\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n SigninLogs\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = makeset(UserPrincipalName, 15) by IPAddress\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount < 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where successfulAccountSigninCount != 0\\n| project StartTimeUtc, EndTimeUtc, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\r\n \"description\": \"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\r\n \"name\": \"9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Spraying\\\"\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid Password Spraying\",\r\n \"description\": \"Searches for Password spraying attacks\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\r\n \"name\": \"8d537f3c-094f-430c-a588-8a87da36ee3a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 15m;\\nlet user_agents=dynamic([\\n '(hydra)',\\n ' arachni/',\\n ' BFAC ',\\n ' brutus ',\\n ' cgichk ',\\n 'core-project/1.0',\\n ' crimscanner/',\\n 'datacha0s',\\n 'dirbuster',\\n 'domino hunter',\\n 'dotdotpwn',\\n 'FHScan Core',\\n 'floodgate',\\n 'get-minimal',\\n 'gootkit auto-rooter scanner',\\n 'grendel-scan',\\n ' inspath ',\\n 'internet ninja',\\n 'jaascois',\\n ' zmeu ',\\n 'masscan',\\n ' metis ',\\n 'morfeus fucking scanner',\\n 'n-stealth',\\n 'nsauditor',\\n 'pmafind',\\n 'security scan',\\n 'springenwerk',\\n 'teh forest lobster',\\n 'toata dragostea',\\n ' vega/',\\n 'voideye',\\n 'webshag',\\n 'webvulnscan',\\n ' whcc/',\\n ' Havij',\\n 'absinthe',\\n 'bsqlbf',\\n 'mysqloit',\\n 'pangolin',\\n 'sql power injector',\\n 'sqlmap',\\n 'sqlninja',\\n 'uil2pn',\\n 'ruler',\\n 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\r\n \"queryFrequency\": \"PT15M\",\r\n \"queryPeriod\": \"PT15M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"UrlCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Hack Tool User-Agent Detected\",\r\n \"description\": \"Detects suspicious user agent strings used by known hack tools\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\r\n \"name\": \"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\r\n \"queryFrequency\": \"PT15M\",\r\n \"queryPeriod\": \"PT15M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"UrlCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\r\n \"description\": \"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34663177-8abf-4db1-b0a4-5683ab273f44\",\r\n \"name\": \"34663177-8abf-4db1-b0a4-5683ab273f44\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let threshold = 20;\\nPulseConnectSecure\\n| where Messages contains \\\"Login failed\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\\n| where count_ > threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"PulseConnectSecure - Potential Brute Force Attempts\",\r\n \"description\": \"This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PulseConnectSecure\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\r\n \"name\": \"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated > ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name > threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name > threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Rare client observed with high reverse DNS lookup count\",\r\n \"description\": \"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\r\n \"name\": \"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let EventCountThreshold = 25;\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ > EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Mass secret retrieval from Azure Key Vault\",\r\n \"description\": \"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\r\n \"name\": \"39198934-62a0-4781-8416-a81265c03fd6\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious application consent similar to PwnAuth\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-03T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\r\n \"name\": \"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AddingUser\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New PA, PCA, or PCAS added to Azure DevOps\",\r\n \"description\": \"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. This detection looks for users being granted key administrative permissions. If the principal of least privilege is applied the number of users granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these should also be conducted.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-18T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\r\n \"name\": \"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff('minute', Alert1Time, Alert2Time)) <=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\r\n \"description\": \"When a user has both an Unfamiliar sign-in properties alert and an Atypical travel alert within 20 minutes, the alert should be handled with a higher severity\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectoryIdentityProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (IPC)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\r\n \"name\": \"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * 'SHA256=' SHA265 ',' * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known ZINC related maldoc hash\",\r\n \"description\": \"Document hash used by ZINC in highly targeted spear phishing campaign.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\r\n \"name\": \"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated > ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated > ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P7D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps Agent Pool Created Then Deleted\",\r\n \"description\": \"As well as adding build agents to an existing pool to execute malicious activity within a pipeline an attacker could create a complete new agent pool and use this for execution. Azure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this detection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), as an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\r\n \"name\": \"2b328487-162d-4034-b472-59f1d53684a1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal == ''\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\r\n \"queryFrequency\": \"PT15M\",\r\n \"queryPeriod\": \"PT15M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"UrlCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Empty User Agent Detected\",\r\n \"description\": \"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\r\n \"name\": \"3533f74c-9207-4047-96e2-0eb9383be587\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated > ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated > ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious application consent for offline access\",\r\n \"description\": \"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-09T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-26T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\r\n \"name\": \"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known CERIUM domains and hashes\",\r\n \"description\": \"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-26T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\r\n \"name\": \"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n SecurityAlert\\n | where TimeGenerated >= ago(dt_lookBack)\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nAlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to SecurityAlert data\",\r\n \"description\": \"Identifies a match in SecurityAlert data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06107abb-1b68-4fdc-841b-8a1ff9301467\",\r\n \"name\": \"06107abb-1b68-4fdc-841b-8a1ff9301467\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Anomaly\",\r\n \"properties\": {\r\n \"severity\": \"Informational\",\r\n \"anomalyDefinitionVersion\": \"1.0.1\",\r\n \"techniques\": [\r\n \"T1030\"\r\n ],\r\n \"customizableObservations\": {\r\n \"multiSelectObservations\": null,\r\n \"singleSelectObservations\": null,\r\n \"prioritizeExcludeObservations\": null,\r\n \"thresholdObservations\": [\r\n {\r\n \"minimum\": \"0\",\r\n \"maximum\": \"1\",\r\n \"value\": \"0.87\",\r\n \"name\": \"Score\",\r\n \"description\": \"Generate an anomaly when score is greater than the chosen value\",\r\n \"sequenceNumber\": 0,\r\n \"rerun\": \"NotRequired\"\r\n }\r\n ]\r\n },\r\n \"frequency\": \"P1D\",\r\n \"displayName\": \"(Preview) Excessive Downloads via Palo Alto GlobalProtect\",\r\n \"description\": \"This algorithm detects unusually high volume of download per user account via Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of downloads in the last day.\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\r\n \"name\": \"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated > ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n SecurityAlert\\n | where TimeGenerated > ago(dt_lookBack)\\n //Extract domain patterns from message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\", 1, tolower(Entities))\\n | where isnotempty(domain)\\n | extend parts = split(domain, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column extract hostname and IP address\\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\\n | extend HostName = iif(EntityType == 'host', EntityHostName, '')\\n | extend IP_addr = iif(EntityType == 'ip', EntityAddress, '')\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map Domain entity to SecurityAlert\",\r\n \"description\": \"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureSecurityCenter\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\r\n \"name\": \"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"CommonSecurityLog \\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where AdditionalExtensions !has \\\"reason=aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where AdditionalExtensions !has \\\"reason=tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ >= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Palo Alto - possible internal to external port scanning\",\r\n \"description\": \"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\r\n \"tactics\": [\r\n \"Discovery\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\r\n \"name\": \"69a45b05-71f5-45ca-8944-2e038747fb39\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n) on Account\\n// Make sure that the first connection is after the second connection --> SecondHop > FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --> FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --> FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop > FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop <= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount >= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"RDP Nesting\",\r\n \"description\": \"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \\nto another system with the same account within the 60 minutes. Additionally, if historically daily \\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\r\n \"tactics\": [\r\n \"LateralMovement\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-10-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\r\n \"name\": \"84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"eset_CL\\n| where event_type_s == 'FilteredWebsites_Event'\\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\",\r\n \"queryFrequency\": \"PT5M\",\r\n \"queryPeriod\": \"PT5M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Web sites blocked by Eset\",\r\n \"description\": \"Create alert on web sites blocked by Eset.\",\r\n \"tactics\": [\r\n \"Exfiltration\",\r\n \"CommandAndControl\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-09T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"EsetSMC\",\r\n \"dataTypes\": [\r\n \"eset_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\r\n \"name\": \"223db5c1-1bf8-47d8-8806-bed401b356a4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet azPortalSignins = materialize(SigninLogs\\n| where TimeGenerated >= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated >= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated >= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName, Id\\n| where TimeGenerated > TimeGenerated1\\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated >= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend FullLocation = strcat(Location,'|', LocationDetails.state, '|', LocationDetails.city)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation\\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed login attempts to Azure Portal\",\r\n \"description\": \"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\r\n \"name\": \"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ > signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains 'auth' and ProcessName != 'sudo'\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ > signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nSigninLogs\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed host logons but success logon to AzureAD\",\r\n \"description\": \"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\r\n \"name\": \"d564ff12-8f53-41b8-8649-44f76b37b99f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName ' (Organization)'\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount > ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_build?definitionId=', DefId),\\n strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', DefId))\\n| extend timestamp = StartTime\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Azure DevOps Service Conection Abuse\",\r\n \"description\": \"Flags builds/releases that use a large number of service connections if they aren't manually allowlisted.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\r\n \"name\": \"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\")\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SUNSPOT log file creation\",\r\n \"description\": \"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceFileEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\r\n \"name\": \"f110287e-1358-490d-8147-ed804b328514\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AWSCloudTrail | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AWSCloudTrail\",\r\n \"description\": \"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2954d424-f786-4677-9ffc-c24c44c6e7d5\",\r\n \"name\": \"2954d424-f786-4677-9ffc-c24c44c6e7d5\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = ago(3h);\\nlet threshold = 2;\\nOkta_CL\\n| where published_t >= timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"\\n| where outcome_result_s =~ \\\"SUCCESS\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\\n| where NumOfCountries >= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\",\r\n \"queryFrequency\": \"PT3H\",\r\n \"queryPeriod\": \"PT3H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User Login from Different Countries within 3 hours\",\r\n \"description\": \"This query searches for successful user logins to the Okta Console from different countries within 3 hours\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OktaSSO\",\r\n \"dataTypes\": [\r\n \"Okta_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\r\n \"name\": \"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"External Upstream Source Added to Azure DevOps Feed\",\r\n \"description\": \"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. An attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\r\n \"name\": \"f2eb15bd-8a88-4b24-9281-e133edfba315\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n SigninLogs | where TimeGenerated >= ago(dt_lookBack)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend Region = tostring(LocationDetails[\\\"countryOrRegion\\\"]), State = tostring(LocationDetails[\\\"state\\\"]), City = tostring(LocationDetails[\\\"city\\\"])\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to SigninLogs\",\r\n \"description\": \"Identifies a match in SigninLogs from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\r\n \"name\": \"074ce265-f684-41cd-af07-613c5f3e6d0d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\\n(DnsEvents \\n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| extend IPAddress = RemoteIp, Host = Computer),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost)\\n)\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known STRONTIUM group domains - July 2019\",\r\n \"description\": \"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-05T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\r\n \"name\": \"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Microsoft Cloud App Security\",\r\n \"displayName\": \"Create incidents based on Microsoft Cloud App Security alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Microsoft Cloud App Security\",\r\n \"lastUpdatedDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-07-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (MCAS)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\r\n \"name\": \"173f8699-6af5-484a-8b06-8c47ba89b380\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) > max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple Teams deleted by a single user\",\r\n \"description\": \"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Azure Sentinel.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-09-13T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity (Teams)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\r\n \"name\": \"a35f2c18-1b97-458f-ad26-e033af18eb99\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nSecurityEvent \\n// When MemberName contains '-' this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = tostring(split(tostring(split(MemberName, \\\",\\\")[0]),\\\"CN=\\\")[1])\\n| project StartTimeUtc = TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User account added to built in domain local or global group\",\r\n \"description\": \"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\r\n \"name\": \"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Changes to AWS Security Group ingress and egress settings\",\r\n \"description\": \"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\r\n \"name\": \"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MLBehaviorAnalytics\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"displayName\": \"(Preview) Anomalous RDP Login Detections\",\r\n \"description\": \"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Azure Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Azure Sentinel workspace’s geography as necessary for processing by the machine learning engine.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-26T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-02T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\r\n \"name\": \"9713e3c0-1410-468d-b79e-383448434b2d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n VMConnection\\n | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to VMConnection\",\r\n \"description\": \"Identifies a match in VMConnection from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\r\n \"name\": \"19e01883-15d8-4eb6-a7a5-3276cd668388\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount >= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"High count of failed attempts from same client IP\",\r\n \"description\": \"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-03-19T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\r\n \"name\": \"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Solorigate Defender Detections\",\r\n \"description\": \"Surfaces any Defender Alert for Solorigate Events. In Azure Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftDefenderAdvancedThreatProtection\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (MDATP)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceInfo\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\r\n \"name\": \"7249500f-3038-4b83-8549-9cd8dfa2d498\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ 'OATP'\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known PHOSPHORUS group domains/IP - October 2020\",\r\n \"description\": \"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-10-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Cisco)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (PaloAlto)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Zscaler\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Zscaler)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog (Fortinet)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"OfficeATP\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (OATP)\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureFirewall\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics (Azure Firewall)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\r\n \"name\": \"3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 2\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid Indicators of Attack\",\r\n \"description\": \"Searches for triggered Indicators of Attack\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\r\n \"name\": \"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic(['foo@baz.com', 'test@foo.com']);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == 'Git.RefUpdatePoliciesBypassed'\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated >= ago(endtime)\\n| where OperationName == 'Git.RefUpdatePoliciesBypassed'\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName '(Organization)'\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_git/', Data.RepoName, '/pullrequest/', Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"PT3H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps Pull Request Policy Bypassing - Historic Allowlist\",\r\n \"description\": \"This detection builds a Allowlist of historic PR policy bypasses and compares to recent history, flagging a non manually allowlisted, non historic pull request bypass.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-16T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\r\n \"name\": \"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Office 365 Advanced Threat Protection\",\r\n \"displayName\": \"Create incidents based on Office 365 Advanced Threat Protection alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Office 365 Advanced Threat Protection\",\r\n \"lastUpdatedDateUTC\": \"2020-09-01T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-20T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"OfficeATP\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (OATP)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"name\": \"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center for IoT\",\r\n \"displayName\": \"Create incidents based on Azure Security Center for IoT alerts\",\r\n \"description\": \"Create incidents based on all alerts generated in Azure Security Center for IoT\",\r\n \"lastUpdatedDateUTC\": \"2019-12-24T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-12-24T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"IoT\",\r\n \"dataTypes\": [\r\n \"SecurityAlert (ASC for IoT)\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\r\n \"name\": \"ac891683-53c3-4f86-86b4-c361708e2b2b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)['foo@bar.com', 'test@foo.com'];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)['Security.','Project.','AuditLog.','Extension.'];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)['Group.UpdateGroupMembership.Add','Library.ServiceConnectionExecuted','Pipelines.PipelineModified',\\n'Release.ReleasePipelineModified', 'Git.RefUpdatePoliciesBypassed'];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps Personal Access Token (PAT) misuse\",\r\n \"description\": \"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require Allowlisting and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-23T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\r\n \"name\": \"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account's password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action)\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetResourceName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = TargetResourceName, Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type),\\n(SigninLogs\\n| where OperationName =~ \\\"Sign-in activity\\\" and ResultType has_any (\\\"50125\\\", \\\"50133\\\")\\n| project TimeGenerated, AccountType = AppDisplayName, Computer = IPAddress, Account = UserPrincipalName, Type\\n)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computer = makeset(Computer), AccountType = makeset(AccountType), Total=count() by Account, Type\\n| where Total > PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computer = makeset(Computer), Account = tostring(makeset(Account)), AccountType = makeset(AccountType), Total=count() by Type\\n| where Total > TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = tostring(Computer)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple Password Reset by user\",\r\n \"description\": \"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-09-03T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Syslog\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\r\n \"name\": \"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n), \\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer \\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer \\n), \\n(Event \\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" \\n| where EventID == 3 \\n| extend EvData = parse_xml(EventData) \\n| extend EventDetail = EvData.DataItem.EventData.Data \\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"] \\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\") \\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n) \\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Barium IP\",\r\n \"description\": \"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer' \",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(WireData)\",\r\n \"dataTypes\": [\r\n \"WireData\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceNetworkEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\r\n \"name\": \"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"DNS events related to ToR proxies\",\r\n \"description\": \"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\r\n \"name\": \"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nlet PrivateIPregex = @\\\"^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\\\"; // exclude destinations that fall into this category\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated > ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n// sort into source->destination 'sessions'\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds > TimeDeltaThresholdInSeconds\\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// summarize the deltas by source->destination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers > 1.5 or outliers < -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev < MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount > TotalBeaconsThreshold and (sum_SentBytes > 0 or sum_ReceivedBytes > 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity >= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Fortinet - Beacon pattern detected\",\r\n \"description\": \"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-03-31T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\r\n \"name\": \"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities['Type'] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities['Address']), AttackerCountry = tostring(Entities['Location']['CountryName']);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities['Type'] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities['Directory']), MaliciousFileName = tostring(Entities['Name']), MaliciousFileHashes = tostring(Entities['FileHashes']);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don't work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) < 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName,HashAlgo = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"FileHash\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Algorithm\",\r\n \"columnName\": \"MD5\"\r\n },\r\n {\r\n \"identifier\": \"Value\",\r\n \"columnName\": \"FileHashCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Linked Malicious Storage Artifacts\",\r\n \"description\": \"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-14T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftCloudAppSecurity\",\r\n \"dataTypes\": [\r\n \"SecurityAlert\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\r\n \"name\": \"f8127962-7739-4211-a4a9-390a7a00e91f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 30m;\\nlet lbperiod = 30d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated > ago(lbperiod)\\n| where EventType == 'message'\\n| where NetworkDirection == 'outbound'\\n| where SrcUserUpn != ''\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == 'message'\\n| where NetworkDirection == 'outbound'\\n| extend isProtected = todynamic(MsgParts)[0]['isProtected']\\n| extend mimePgp = todynamic(MsgParts)[0]['detectedMime']\\n| where isProtected == 'true' or mimePgp == 'application/pgp-encrypted'\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\r\n \"queryFrequency\": \"PT30M\",\r\n \"queryPeriod\": \"PT30M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Multiple protected emails to unknown recipient\",\r\n \"description\": \"Detects when multiple protected messages where sent to early not seen recipient.\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-13T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_message_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\r\n \"name\": \"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated >= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated >= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated >= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Full Admin policy created and then attached to Roles, Users or Groups\",\r\n \"description\": \"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\r\n \"tactics\": [\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\r\n \"name\": \"155e9134-d5ad-4a6f-88f3-99c220040b66\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated > ago(timeback) and TimeGenerated < ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated > ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts > 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps Pipleine modified by a New User.\",\r\n \"description\": \"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. This detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) in order to show if the user conducting the action has any associated AAD IdP alerts, you can also chose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\r\n \"name\": \"79566f41-df67-4e10-a703-c38a6213afd8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Azure Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New access credential added to Application or Service Principal\",\r\n \"description\": \"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"AuditLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\r\n \"name\": \"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'proxylogs'\\n| where DvcAction =~ 'Allowed'\\n| where UrlCategory contains 'Adult Themes' or\\n UrlCategory contains 'Adware' or\\n UrlCategory contains 'Alcohol' or\\n UrlCategory contains 'Illegal Downloads' or\\n UrlCategory contains 'Drugs' or\\n UrlCategory contains 'Child Abuse Content' or\\n UrlCategory contains 'Hate/Discrimination' or\\n UrlCategory contains 'Nudity' or\\n UrlCategory contains 'Pornography' or\\n UrlCategory contains 'Proxy/Anonymizer' or\\n UrlCategory contains 'Sexuality' or\\n UrlCategory contains 'Tasteless' or\\n UrlCategory contains 'Terrorism' or\\n UrlCategory contains 'Web Spam' or\\n UrlCategory contains 'German Youth Protection' or\\n UrlCategory contains 'Illegal Activities' or\\n UrlCategory contains 'Lingerie/Bikini' or\\n UrlCategory contains 'Weapons'\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\r\n \"description\": \"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\r\n \"tactics\": [\r\n \"CommandAndControl\",\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\r\n \"name\": \"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps Audit Stream Disabled\",\r\n \"description\": \"Azure DevOps allow for audit logs to streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams before conducting activity and them re-enabling them after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action its unlikely to have a high false positive rate.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d645a88-2724-41a7-adea-db74c439cf79\",\r\n \"name\": \"3d645a88-2724-41a7-adea-db74c439cf79\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 5000;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\\n| where count_ > threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Amount of Denied Connections from a Single Source\",\r\n \"description\": \"This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-07-08T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SophosXGFirewall\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\r\n \"name\": \"a357535e-f722-4afe-b375-cff362b2b376\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * 'User-Agent\\\\\\\\\\\":\\\\\\\\\\\"' UserAgent2 '\\\\\\\\' *\\n| parse ExtendedProperties with * 'UserAgent\\\", \\\"Value\\\": \\\"' UserAgent1 '\\\"' *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == 'AzureActiveDirectoryStsLogon', UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != '-'\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith '\\\\\\\"'\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Malformed user agent\",\r\n \"description\": \"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CommandAndControl\",\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-01-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"WAF\",\r\n \"dataTypes\": [\r\n \"AzureDiagnostics\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\r\n \"name\": \"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'proxylogs'\\n| where DvcAction =~ 'Allowed'\\n| where UrlOriginal matches regex @'\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*'\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - URI contains IP address\",\r\n \"description\": \"Malware can use IP address to communicate with C2.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\r\n \"name\": \"bf07ca9c-e408-443a-8939-6860a45a929e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps - New Extension Added\",\r\n \"description\": \"Extensions added additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. This query looks for new extensions that are not from a configurable list of approved publishers.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-16T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\r\n \"name\": \"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic(['','']);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has 'Administrators'\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith '\\\\\\\\Project Administrators' or Details endswith '\\\\\\\\Project Collection Administrators')\\n| parse Details with AddedIdentity ' was added as a member of group [' EntityName ']\\\\\\\\' GroupName\\n| extend Level = iif(GroupName == 'Project Collection Administrators', 'Organization', 'Project'), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == 'Organization', 'High', 'Medium'), AlertDetails = strcat('At ', TimeGenerated, ' UTC ', ActorUPN, '/', ActorDisplayName, ' added ', AddedIdentity, ' to the ', EntityName, ' ', Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == 'Organization'\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\r\n \"queryFrequency\": \"PT4H\",\r\n \"queryPeriod\": \"PT4H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure DevOps Administrator Group Monitoring\",\r\n \"description\": \"This detection monitors for additions to project or project collection administration groups in an Azure DevOps Organization.\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\r\n \"name\": \"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco ASA - threat detection message fired\",\r\n \"description\": \"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\r\n \"tactics\": [\r\n \"Discovery\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-28T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\r\n \"name\": \"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated >= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated >= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"User joining Zoom meeting from suspicious timezone\",\r\n \"description\": \"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-25T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\r\n \"name\": \"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated,\\nTI_ipEntity, CallerIpAddress, Caller, OperationName, ActivityStatus, Category, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map IP entity to AzureActivity\",\r\n \"description\": \"Identifies a match in AzureActivity from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\r\n \"name\": \"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated > ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount > threshold;\\nOfficeActivity \\n| where TimeGenerated >= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SharePointFileOperation via previously unseen IPs\",\r\n \"description\": \"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\r\n \"name\": \"0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == 'high' or modelSeverity_s == 'critical'\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Create Incident for XDR Alerts (Critical & High)\",\r\n \"description\": \"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Azure Sentinel usage. (Critical & High Serverity Alerts)\",\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-10T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"TrendMicroXDR\",\r\n \"dataTypes\": [\r\n \"TrendMicro_XDR_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\r\n \"name\": \"50574fac-f8d1-4395-81c7-78a463ff0c52\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SigninLogs\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Azure Active Directory PowerShell accessing non-AAD resources\",\r\n \"description\": \"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-04T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\r\n \"name\": \"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"DNS events related to mining pools\",\r\n \"description\": \"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\r\n \"name\": \"9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-SDPROP-CONSISTENCY\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-GPO-HARDENING\\\", \\\"C-DC-ACCESS-CONSISTENCY\\\", \\\"C-DANGEROUS-TRUST-RELATIONSHIP\\\", \\\"C-UNCONST-DELEG\\\", \\\"C-ABNORMAL-ENTRIES-IN-SCHEMA\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid Active Directory attacks pathways\",\r\n \"description\": \"Searches for triggered Indicators of Exposures related to Active Directory attacks pathways\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-07T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\r\n \"name\": \"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let threshold = 1;\\nSigninLogs\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Status = makelist(Status), StatusDetails = makelist(StatusDetails), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress) , CorrelationIds = makelist(CorrelationId) by UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), Location, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name\\n| where IPAddressCount > threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = makeset(IPAddresses), Status = makeset(Status), CorrelationIds = makeset(CorrelationIds) by StartTimeUtc, EndTimeUtc, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), Location, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Attempt to bypass conditional access rule in Azure AD\",\r\n \"description\": \"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActiveDirectory\",\r\n \"dataTypes\": [\r\n \"SigninLogs\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\r\n \"name\": \"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * '(' DNSName ')' * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (DnsEvents \\n | extend DNSName = Name \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = ClientIP \\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Known Barium domains\",\r\n \"description\": \"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-11-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"DNS\",\r\n \"dataTypes\": [\r\n \"DnsEvents\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(VMInsights)\",\r\n \"dataTypes\": [\r\n \"VMConnection\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceNetworkEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\r\n \"name\": \"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from ago(starttime) to ago(endtime) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total > TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Process execution frequency anomaly\",\r\n \"description\": \"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\r\n \"name\": \"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"FileHash\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Algorithm\",\r\n \"columnName\": \"MD5\"\r\n },\r\n {\r\n \"identifier\": \"Value\",\r\n \"columnName\": \"FileHashCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"SUNBURST network beacons\",\r\n \"description\": \"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-31T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-12-15T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"MicrosoftThreatProtection\",\r\n \"dataTypes\": [\r\n \"DeviceNetworkEvents\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\r\n \"name\": \"06a9b845-6a95-4432-a78b-83919b28c375\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated > ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated > ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal > percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 3,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Time series anomaly detection for total volume of traffic\",\r\n \"description\": \"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\r\n \"tactics\": [\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-05-07T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Barracuda\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CEF\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CheckPoint\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"CiscoASA\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"F5\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Fortinet\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\r\n \"name\": \"871ba14c-88ef-48aa-ad38-810f26760ca3\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"OfficeActivity\\n| where Operation =~ \\\"Set-Mailbox\\\"\\n| where Parameters has \\\"ForwardingSmtpAddress\\\"\\n| extend parsed = parse_json(Parameters)\\n| mv-expand parsed\\n| where parsed.Name == \\\"ForwardingSmtpAddress\\\"\\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\\n| where isnotempty(fwdingDestination)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\" and ClientIP has ':', tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\".\\\" and ClientIP has '-', tostring(split(ClientIP,\\\"-\\\")[0]), \\nClientIP has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has ':', tostring(split(ClientIP_,\\\":\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has '-', tostring(split(ClientIP_,\\\"-\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\" and ClientIP has ':', tostring(split(ClientIP,\\\":\\\")[1]), \\nClientIP has \\\".\\\" and ClientIP has '-', tostring(split(ClientIP,\\\"-\\\")[1]), \\nClientIP has ']-', tostring(split(ClientIP,\\\"]-\\\")[1]), \\nClientIP has ']:', tostring(split(ClientIP,\\\"]:\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has ':', tostring(split(ClientIP_,\\\":\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has '-', tostring(split(ClientIP_,\\\"-\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has ']-', tostring(split(ClientIP_,\\\"]-\\\")[1]),\\nisempty(ClientIP) and ClientIP_ has ']:', tostring(split(ClientIP_,\\\"]:\\\")[1]),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \\nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \\n| where DistinctUserCount > 1\\n| mv-expand UserId\\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Multiple users email forwarded to same destination\",\r\n \"description\": \"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"Exfiltration\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-23T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\r\n \"name\": \"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated > ago(lbtime)\\n| where EventType == 'message'\\n| where NetworkDirection == 'outbound'\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@'\\\\A(.*?)@', 1, SrcUserUpn)\\n| extend sender_domain = extract(@'@(.*)$', 1, SrcUserUpn)\\n| extend recipient = extract(@'\\\\A(.*?)@', 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@'@(.*)$', 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"ProofpointPOD - Possible data exfiltration to private email\",\r\n \"description\": \"Detects when sender sent email to the non-corporate domain and recipient's username is the same as sender's username.\",\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-13T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ProofpointPOD\",\r\n \"dataTypes\": [\r\n \"ProofpointPOD_message_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\r\n \"name\": \"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\\n| where Active == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n OfficeActivity\\n | where TimeGenerated >= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, ';')[0])\\n | extend Office_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \\n) on Url\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Office_TimeGenerated, Url, User\\n| extend timestamp = Office_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"URLCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"(Preview) TI map URL entity to OfficeActivity data\",\r\n \"description\": \"Identifies a match in OfficeActivity data from any URL IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\r\n \"name\": \"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Security Event log cleared\",\r\n \"description\": \"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\r\n \"tactics\": [\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1fa1528e-f746-4794-8a41-14827f4cb798\",\r\n \"name\": \"1fa1528e-f746-4794-8a41-14827f4cb798\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let threshold = 100;\\nPulseConnectSecure\\n| where Messages startswith \\\"Login failed\\\"\\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\\n| where dcount_User > threshold\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"PT1H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"PulseConnectSecure - Large Number of Distinct Failed User Logins\",\r\n \"description\": \"This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-06-06T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PulseConnectSecure\",\r\n \"dataTypes\": [\r\n \"Syslog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\r\n \"name\": \"21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"afad_parser\\n| where MessageType == 2 and Codename == \\\"Golden Ticket\\\"\",\r\n \"queryFrequency\": \"PT2H\",\r\n \"queryPeriod\": \"PT2H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [],\r\n \"displayName\": \"Alsid Golden Ticket\",\r\n \"description\": \"Searches for Golden Ticket attacks\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-17T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AlsidForAD\",\r\n \"dataTypes\": [\r\n \"AlsidForADLog_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\r\n \"name\": \"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let threshold = 20;\\nSecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !='0xc0000064' and Account !in ('\\\\\\\\', '-\\\\\\\\-')\\n// SubStatus '0xc0000064' signifies 'Account name does not exist'\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| extend Reason = case(\\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \\nSubStatus =~ '0xC000006D', 'Bad user name or password',\\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\\nSubStatus =~ '0xC0000071', 'User logon with expired password',\\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \\nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\\nSubStatus =~ '0xC0000193', 'User logon with expired account',\\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\\nSubStatus =~ '0xC0000234', 'User logon with account locked',\\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\\nstrcat('Unknown reason substatus: ', SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount >= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"PT10M\",\r\n \"queryPeriod\": \"PT10M\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Failed logon attempts by valid accounts within 10 mins\",\r\n \"description\": \"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\r\n \"name\": \"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationName == \\\"Create role assignment\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ >= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated > ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CorrelationId = makelist(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationName, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious granting of permissions to an account\",\r\n \"description\": \"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\r\n \"tactics\": [\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\r\n \"name\": \"2790795b-7dba-483e-853f-44aa0bc9c985\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors > 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Wazuh - Large Number of Web errors from an IP\",\r\n \"description\": \"Identifies instances where Wazuh logged over 400 '403' Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\r\n \"tactics\": [\r\n \"Persistence\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2020-04-21T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\r\n \"name\": \"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated > ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New Agent Added to Pool by New User or of a New OS Type.\",\r\n \"description\": \"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. An attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have not added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a configurable allow list to allow for certain users to be excluded from the logic.\",\r\n \"tactics\": [\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\r\n \"name\": \"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Base64 encoded Windows process command-lines\",\r\n \"description\": \"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\r\n \"tactics\": [\r\n \"Execution\",\r\n \"DefenseEvasion\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2018-09-14T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\r\n \"name\": \"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated >= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime >= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime < ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"New UserAgent observed in last 24 hours\",\r\n \"description\": \"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\r\n \"tactics\": [\r\n \"InitialAccess\",\r\n \"CommandAndControl\",\r\n \"Execution\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-12-11T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-04-01T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AWS\",\r\n \"dataTypes\": [\r\n \"AWSCloudTrail\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"Office365\",\r\n \"dataTypes\": [\r\n \"OfficeActivity\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"AzureMonitor(IIS)\",\r\n \"dataTypes\": [\r\n \"W3CIISLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\r\n \"name\": \"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let szOperationNames = dynamic([\\\"Create or Update Virtual Machine\\\", \\\"Create Deployment\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatus), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationName, Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope > 0.2\\n| join kind=leftsemi (\\n// Last day's activity is anomalous\\nAzureActivity\\n| where TimeGenerated >= startofday(ago(endtime))\\n| where OperationName in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationName, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatus), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationName, Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope > 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatus), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P7D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Suspicious number of resource creation or deployment activities\",\r\n \"description\": \"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-05T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"AzureActivity\",\r\n \"dataTypes\": [\r\n \"AzureActivity\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\r\n \"name\": \"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(lookBack) and TimeGenerated < ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated > ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"URL\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Url\",\r\n \"columnName\": \"UrlCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Cisco Umbrella - Rare User Agent Detected\",\r\n \"description\": \"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-03-21T00:00:00Z\",\r\n \"createdDateUTC\": \"2021-01-11T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"CiscoUmbrellaDataConnector\",\r\n \"dataTypes\": [\r\n \"Cisco_Umbrella_proxy_CL\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\r\n \"name\": \"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue\\n| project LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, \\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P14D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Microsoft COVID-19 file hash indicator matches\",\r\n \"description\": \"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-17T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-30T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"PaloAltoNetworks\",\r\n \"dataTypes\": [\r\n \"CommonSecurityLog\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\r\n \"name\": \"2391ce61-8c8d-41ac-9723-d945b2e90720\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated >= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday >= coalesce(CountPrev7day,0)*threshold and CountToday >= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \\nSubStatus =~ '0xC000006D', 'Bad user name or password',\\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\\nSubStatus =~ '0xC0000071', 'User logon with expired password',\\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \\nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\\nSubStatus =~ '0xC0000193', 'User logon with expired account',\\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\\nSubStatus =~ '0xC0000234', 'User logon with account locked',\\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\\nstrcat('Unknown reason substatus: ', SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P8D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"Host\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"HostCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"Excessive Windows logon failures\",\r\n \"description\": \"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2020-11-19T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-02-22T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"SecurityEvents\",\r\n \"dataTypes\": [\r\n \"SecurityEvent\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\r\n \"name\": \"aac495a9-feb1-446d-b08e-a1164a539452\",\r\n \"type\": \"Microsoft.SecurityInsights/AlertRuleTemplates\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Medium\",\r\n \"query\": \"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\r\n \"queryFrequency\": \"PT1H\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"customDetails\": {},\r\n \"entityMappings\": [\r\n {\r\n \"entityType\": \"Account\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"FullName\",\r\n \"columnName\": \"AccountCustomEntity\"\r\n }\r\n ]\r\n },\r\n {\r\n \"entityType\": \"IP\",\r\n \"fieldMappings\": [\r\n {\r\n \"identifier\": \"Address\",\r\n \"columnName\": \"IPCustomEntity\"\r\n }\r\n ]\r\n }\r\n ],\r\n \"displayName\": \"TI map IP entity to GitHub_CL\",\r\n \"description\": \"Identifies a match in GitHub_CL table from any IP IOC from TI\",\r\n \"tactics\": [\r\n \"Impact\"\r\n ],\r\n \"lastUpdatedDateUTC\": \"2021-02-22T00:00:00Z\",\r\n \"createdDateUTC\": \"2019-08-27T00:00:00Z\",\r\n \"status\": \"Available\",\r\n \"requiredDataConnectors\": [\r\n {\r\n \"connectorId\": \"ThreatIntelligence\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n },\r\n {\r\n \"connectorId\": \"ThreatIntelligenceTaxii\",\r\n \"dataTypes\": [\r\n \"ThreatIntelligenceIndicator\"\r\n ]\r\n }\r\n ],\r\n \"alertRulesCreatedByTemplateCount\": 0\r\n }\r\n }\r\n ]\r\n}",
"StatusCode": 200
}
],
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleFusion.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleFusion.json
index 4f63501330d2..3d59a2e1b257 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleFusion.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleFusion.json
@@ -1,5 +1,62 @@
{
"Entries": [
+ {
+ "RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion?api-version=2020-01-01",
+ "EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzL0J1aWx0SW5GdXNpb24/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
+ "RequestMethod": "DELETE",
+ "RequestBody": "",
+ "RequestHeaders": {
+ "x-ms-client-request-id": [
+ "762a6bf4-0f3d-46c1-a538-3279cf47c856"
+ ],
+ "Accept-Language": [
+ "en-US"
+ ],
+ "User-Agent": [
+ "FxVersion/4.6.29812.02",
+ "OSName/Windows",
+ "OSVersion/Microsoft.Windows.10.0.19042.",
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
+ ]
+ },
+ "ResponseHeaders": {
+ "Cache-Control": [
+ "no-cache"
+ ],
+ "Pragma": [
+ "no-cache"
+ ],
+ "Server": [
+ "Kestrel"
+ ],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
+ "x-ms-request-id": [
+ "c2faa143-4fb4-4b56-8c1a-292a39101164"
+ ],
+ "x-ms-correlation-request-id": [
+ "c2faa143-4fb4-4b56-8c1a-292a39101164"
+ ],
+ "x-ms-routing-request-id": [
+ "WESTUS2:20210413T222730Z:c2faa143-4fb4-4b56-8c1a-292a39101164"
+ ],
+ "Strict-Transport-Security": [
+ "max-age=31536000; includeSubDomains"
+ ],
+ "X-Content-Type-Options": [
+ "nosniff"
+ ],
+ "Date": [
+ "Tue, 13 Apr 2021 22:27:30 GMT"
+ ],
+ "Expires": [
+ "-1"
+ ]
+ },
+ "ResponseBody": "",
+ "StatusCode": 204
+ },
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/db5ded90-76a4-4c59-8581-1c8b7601b375?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzL2RiNWRlZDkwLTc2YTQtNGM1OS04NTgxLTFjOGI3NjAxYjM3NT9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
@@ -7,16 +64,16 @@
"RequestBody": "{\r\n \"kind\": \"Fusion\",\r\n \"properties\": {\r\n \"alertRuleTemplateName\": \"f71aba3d-28fb-450b-b192-4e76a83015c8\",\r\n \"enabled\": true\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "b7fa7f2c-314e-44c9-acc1-b941919e0fd4"
+ "61f05c9e-5139-46aa-b337-a5ba683c38ce"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,23 +89,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1195"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "d91029a8-4b70-43ba-a43d-71d463ef5971"
+ "10861243-0a4b-4d23-8caf-da89c5e03391"
],
"x-ms-correlation-request-id": [
- "d91029a8-4b70-43ba-a43d-71d463ef5971"
+ "10861243-0a4b-4d23-8caf-da89c5e03391"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T212212Z:d91029a8-4b70-43ba-a43d-71d463ef5971"
+ "WESTUS2:20210413T222730Z:10861243-0a4b-4d23-8caf-da89c5e03391"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,10 +111,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:22:11 GMT"
+ "Tue, 13 Apr 2021 22:27:30 GMT"
],
"Content-Length": [
- "2126"
+ "1742"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -69,8 +123,8 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/db5ded90-76a4-4c59-8581-1c8b7601b375\",\r\n \"name\": \"db5ded90-76a4-4c59-8581-1c8b7601b375\",\r\n \"etag\": \"\\\"c20083e9-0000-0100-0000-5fd291840000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Fusion\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced Multistage Attack Detection\",\r\n \"description\": \"Using Fusion technology based on machine learning, Azure Sentinel automatically detects multistage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nThere are a total of 70 Fusion incident types detected by Azure Sentinel.\\n- 65 of these show the combination of suspicious Azure Active Directory sign-in events followed by anomalous Office 365 activity. Out of these 65, 30 are in public preview. \\n- The remaining five incident types show the combination of anomalous signals from Microsoft Defender Advanced Threat Protection and from Palo Alto Networks firewalls. These five types are all in public preview.\\n\\nTo detect these multistage attacks, the following data connectors must be configured:\\n- Azure Active Directory Identity Protection.\\n- Microsoft Cloud App Security.\\n- Microsoft Defender Advanced Threat Protection.\\n- Palo Alto Networks.\\n\\nFor a full list and description of each scenario that is supported for these multistage attacks, go to https://aka.ms/SentinelFusion.\",\r\n \"alertRuleTemplateName\": \"f71aba3d-28fb-450b-b192-4e76a83015c8\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"CommandAndControl\",\r\n \"DefenseEvasion\",\r\n \"Discovery\",\r\n \"Execution\",\r\n \"Exfiltration\",\r\n \"Impact\",\r\n \"InitialAccess\",\r\n \"LateralMovement\",\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"severity\": \"High\",\r\n \"enabled\": true,\r\n \"lastModifiedUtc\": \"2020-12-10T21:22:12.0573555Z\"\r\n }\r\n}",
- "StatusCode": 201
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/db5ded90-76a4-4c59-8581-1c8b7601b375\",\r\n \"name\": \"db5ded90-76a4-4c59-8581-1c8b7601b375\",\r\n \"etag\": \"\\\"7f03d924-0000-0100-0000-60761ad20000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Fusion\",\r\n \"properties\": {\r\n \"displayName\": \"Advanced Multistage Attack Detection\",\r\n \"description\": \"Using Fusion technology based on machine learning, Azure Sentinel automatically detects multistage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nThere are a total of 90 Fusion incident types detected by Azure Sentinel.\\n\\nTo detect these multistage attacks, the following data connectors must be configured:\\n- Azure Active Directory Identity Protection.\\n- Microsoft Cloud App Security.\\n- Microsoft Defender for Endpoint.\\n- Azure Defender.\\n- Palo Alto Networks.\\n\\nFor a full list and description of each scenario that is supported for these multistage attacks, go to https://aka.ms/SentinelFusion.\",\r\n \"alertRuleTemplateName\": \"f71aba3d-28fb-450b-b192-4e76a83015c8\",\r\n \"tactics\": [\r\n \"Collection\",\r\n \"CommandAndControl\",\r\n \"DefenseEvasion\",\r\n \"Discovery\",\r\n \"Execution\",\r\n \"Exfiltration\",\r\n \"Impact\",\r\n \"InitialAccess\",\r\n \"LateralMovement\",\r\n \"Persistence\",\r\n \"PrivilegeEscalation\"\r\n ],\r\n \"severity\": \"High\",\r\n \"enabled\": true,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:30.840465Z\"\r\n }\r\n}",
+ "StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/db5ded90-76a4-4c59-8581-1c8b7601b375?api-version=2020-01-01",
@@ -79,16 +133,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "97738b72-5133-4d4f-9788-1a73315fb340"
+ "8f6e974c-f880-47d3-afc2-54360fdd455f"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -98,23 +152,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14998"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14998"
+ ],
"x-ms-request-id": [
- "2e134737-b114-4712-8430-19d51bd09959"
+ "10630940-4702-4006-a9f9-ace5fa2e5da1"
],
"x-ms-correlation-request-id": [
- "2e134737-b114-4712-8430-19d51bd09959"
+ "10630940-4702-4006-a9f9-ace5fa2e5da1"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T212212Z:2e134737-b114-4712-8430-19d51bd09959"
+ "WESTUS2:20210413T222731Z:10630940-4702-4006-a9f9-ace5fa2e5da1"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -123,7 +174,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:22:11 GMT"
+ "Tue, 13 Apr 2021 22:27:30 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleMSIC.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleMSIC.json
index 7fb7f2aa79ce..7885c2d7c610 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleMSIC.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleMSIC.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center for IoT\",\r\n \"alertRuleTemplateName\": \"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"displayName\": \"MSICposhTest\",\r\n \"enabled\": true\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "a11bbc4a-5368-4799-b9d4-03649dabdf76"
+ "26abae05-1e1c-4212-b7f6-3dc343bb9262"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1197"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "c84accd1-6c56-47e7-80d4-835719229e53"
+ "ce85d0f5-2197-4a65-b6c4-2c7f885e28a5"
],
"x-ms-correlation-request-id": [
- "c84accd1-6c56-47e7-80d4-835719229e53"
+ "ce85d0f5-2197-4a65-b6c4-2c7f885e28a5"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T212029Z:c84accd1-6c56-47e7-80d4-835719229e53"
+ "WESTUS2:20210413T222727Z:ce85d0f5-2197-4a65-b6c4-2c7f885e28a5"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:20:29 GMT"
+ "Tue, 13 Apr 2021 22:27:26 GMT"
],
"Content-Length": [
"757"
@@ -69,8 +66,8 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/b3ccc517-c3ba-4134-abd1-43256d0d9f4e\",\r\n \"name\": \"b3ccc517-c3ba-4134-abd1-43256d0d9f4e\",\r\n \"etag\": \"\\\"c20049e0-0000-0100-0000-5fd2911d0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center for IoT\",\r\n \"severitiesFilter\": null,\r\n \"displayNamesFilter\": null,\r\n \"displayNamesExcludeFilter\": null,\r\n \"displayName\": \"MSICposhTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": \"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"lastModifiedUtc\": \"2020-12-10T21:20:29.6469805Z\"\r\n }\r\n}",
- "StatusCode": 201
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/b3ccc517-c3ba-4134-abd1-43256d0d9f4e\",\r\n \"name\": \"b3ccc517-c3ba-4134-abd1-43256d0d9f4e\",\r\n \"etag\": \"\\\"7f03a024-0000-0100-0000-60761ace0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center for IoT\",\r\n \"severitiesFilter\": null,\r\n \"displayNamesFilter\": null,\r\n \"displayNamesExcludeFilter\": null,\r\n \"displayName\": \"MSICposhTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": \"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:26.9487122Z\"\r\n }\r\n}",
+ "StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/b3ccc517-c3ba-4134-abd1-43256d0d9f4e?api-version=2020-01-01",
@@ -79,16 +76,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "5e76a682-4ca5-48ae-887a-afcad59cd62c"
+ "be761736-f0f3-40b8-ab69-383599fe3d19"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -98,23 +95,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14998"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "e5acae25-57ec-4a94-b924-daa3f3d5c799"
+ "203d744a-3880-4b70-a7b2-89ee1e37c498"
],
"x-ms-correlation-request-id": [
- "e5acae25-57ec-4a94-b924-daa3f3d5c799"
+ "203d744a-3880-4b70-a7b2-89ee1e37c498"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T212029Z:e5acae25-57ec-4a94-b924-daa3f3d5c799"
+ "WESTUS2:20210413T222727Z:203d744a-3880-4b70-a7b2-89ee1e37c498"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -123,7 +117,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:20:29 GMT"
+ "Tue, 13 Apr 2021 22:27:26 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleScheduled.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleScheduled.json
index 18faa7fdea8e..fdd86d2e5306 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleScheduled.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/CreateAlertRuleScheduled.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "51b59801-26b2-4f49-b4f3-3a8bdf8c626d"
+ "fb1565f3-b061-45ff-b3e2-3dd453379ee9"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1197"
+ ],
"x-ms-request-id": [
- "8ceda48f-1764-4226-b524-8ba37d6135d1"
+ "81b96c64-7101-4baf-9711-8cf4ba212cc8"
],
"x-ms-correlation-request-id": [
- "8ceda48f-1764-4226-b524-8ba37d6135d1"
+ "81b96c64-7101-4baf-9711-8cf4ba212cc8"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213617Z:8ceda48f-1764-4226-b524-8ba37d6135d1"
+ "WESTUS2:20210413T222729Z:81b96c64-7101-4baf-9711-8cf4ba212cc8"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:36:17 GMT"
+ "Tue, 13 Apr 2021 22:27:28 GMT"
],
"Content-Length": [
"972"
@@ -69,8 +66,8 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/103818ba-9f48-41af-bf1b-101f797ab82e\",\r\n \"name\": \"103818ba-9f48-41af-bf1b-101f797ab82e\",\r\n \"etag\": \"\\\"c300383c-0000-0100-0000-5fd294d10000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:36:17.4458574Z\"\r\n }\r\n}",
- "StatusCode": 201
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/103818ba-9f48-41af-bf1b-101f797ab82e\",\r\n \"name\": \"103818ba-9f48-41af-bf1b-101f797ab82e\",\r\n \"etag\": \"\\\"7f03bb24-0000-0100-0000-60761ad00000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:28.5725938Z\"\r\n }\r\n}",
+ "StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/103818ba-9f48-41af-bf1b-101f797ab82e?api-version=2020-01-01",
@@ -79,16 +76,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "425c1e88-893c-47af-8de0-ab04d2e06b3b"
+ "491065a8-42d9-403b-9dfc-0ef35ad69158"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -98,23 +95,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14998"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14998"
+ ],
"x-ms-request-id": [
- "98efe29f-3a45-4966-b769-a2d69b7fa1bb"
+ "e7b74059-1716-44ea-925c-f1e3a99c84c3"
],
"x-ms-correlation-request-id": [
- "98efe29f-3a45-4966-b769-a2d69b7fa1bb"
+ "e7b74059-1716-44ea-925c-f1e3a99c84c3"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213618Z:98efe29f-3a45-4966-b769-a2d69b7fa1bb"
+ "WESTUS2:20210413T222729Z:e7b74059-1716-44ea-925c-f1e3a99c84c3"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -123,7 +117,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:36:18 GMT"
+ "Tue, 13 Apr 2021 22:27:28 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/GetAction.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/GetAction.json
index bf259fb1e679..b77500d1c955 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/GetAction.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/GetAction.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "2bb8aa7c-d6f8-4ad9-939c-93a6fb8c123e"
+ "78526eb4-ad7f-4b78-bdef-9e441d20ce50"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1197"
+ ],
"x-ms-request-id": [
- "0d40ac26-b97c-4884-81ae-91201d2d683f"
+ "1b95c899-516b-440d-84c1-0479f709072a"
],
"x-ms-correlation-request-id": [
- "0d40ac26-b97c-4884-81ae-91201d2d683f"
+ "1b95c899-516b-440d-84c1-0479f709072a"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213228Z:0d40ac26-b97c-4884-81ae-91201d2d683f"
+ "WESTUS2:20210413T222732Z:1b95c899-516b-440d-84c1-0479f709072a"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:32:28 GMT"
+ "Tue, 13 Apr 2021 22:27:32 GMT"
],
"Content-Length": [
"972"
@@ -69,8 +66,8 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"name\": \"4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"etag\": \"\\\"c300a725-0000-0100-0000-5fd293ec0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:32:10.8008143Z\"\r\n }\r\n}",
- "StatusCode": 201
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"name\": \"4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"etag\": \"\\\"7f03f724-0000-0100-0000-60761ad40000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:32.4624007Z\"\r\n }\r\n}",
+ "StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4324441a-de38-42c2-83dd-bb93db929e7c?api-version=2020-01-01",
@@ -79,16 +76,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "d64ebe11-cf4e-46de-b9be-1bb9b283022b"
+ "13eb7546-bd21-4b58-b8eb-25b154123cc0"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -98,23 +95,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11998"
+ ],
"x-ms-request-id": [
- "39538e6a-8c01-46e8-b7c0-6f7ef9fd66a2"
+ "450d885e-2a5f-455a-909c-b7537c21eb51"
],
"x-ms-correlation-request-id": [
- "39538e6a-8c01-46e8-b7c0-6f7ef9fd66a2"
+ "450d885e-2a5f-455a-909c-b7537c21eb51"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213228Z:39538e6a-8c01-46e8-b7c0-6f7ef9fd66a2"
+ "WESTUS2:20210413T222733Z:450d885e-2a5f-455a-909c-b7537c21eb51"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -123,7 +117,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:32:28 GMT"
+ "Tue, 13 Apr 2021 22:27:32 GMT"
],
"Content-Length": [
"972"
@@ -135,7 +129,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"name\": \"4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"etag\": \"\\\"c300a725-0000-0100-0000-5fd293ec0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:32:10.8008143Z\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"name\": \"4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"etag\": \"\\\"7f03f724-0000-0100-0000-60761ad40000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:32.4624007Z\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -145,16 +139,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "91eed691-d48a-4cd5-8587-0efe1307581a"
+ "d37228de-326f-40b5-80ee-39c83d2625d3"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -164,23 +158,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14997"
+ ],
"x-ms-request-id": [
- "452d495c-e7ee-4967-917c-b895c1ad2707"
+ "dfbf4369-c278-4921-917a-0916148c256b"
],
"x-ms-correlation-request-id": [
- "452d495c-e7ee-4967-917c-b895c1ad2707"
+ "dfbf4369-c278-4921-917a-0916148c256b"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213229Z:452d495c-e7ee-4967-917c-b895c1ad2707"
+ "WESTUS2:20210413T222733Z:dfbf4369-c278-4921-917a-0916148c256b"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -189,7 +180,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:32:29 GMT"
+ "Tue, 13 Apr 2021 22:27:32 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/InputObject.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/InputObject.json
index 7b2acf804baa..fa7c5f9cc164 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/InputObject.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/InputObject.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "6cb051fd-56b2-46b9-8847-bb29e6604968"
+ "748fa73e-5f6a-4bdb-b7d0-7dcdb8c5b789"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "3ba19f94-ffb1-4ae4-ab84-7214f72a8e88"
+ "5ad04df7-b793-4005-967f-206946e5e36d"
],
"x-ms-correlation-request-id": [
- "3ba19f94-ffb1-4ae4-ab84-7214f72a8e88"
+ "5ad04df7-b793-4005-967f-206946e5e36d"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213316Z:3ba19f94-ffb1-4ae4-ab84-7214f72a8e88"
+ "WESTUS2:20210413T222715Z:5ad04df7-b793-4005-967f-206946e5e36d"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,10 +54,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:33:15 GMT"
+ "Tue, 13 Apr 2021 22:27:14 GMT"
],
"Content-Length": [
- "971"
+ "972"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -69,26 +66,26 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"name\": \"4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"etag\": \"\\\"c300402a-0000-0100-0000-5fd2941c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:33:14.669933Z\"\r\n }\r\n}",
- "StatusCode": 201
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"name\": \"4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"etag\": \"\\\"7f03d423-0000-0100-0000-60761ac30000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:14.7732563Z\"\r\n }\r\n}",
+ "StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzQwMzcwNzZlLTQ3OWEtNGQxOC05M2Y5LWJjZGI3MmYwYzg1Nj9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": false,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n },\r\n \"etag\": \"\\\"c300402a-0000-0100-0000-5fd2941c0000\\\"\"\r\n}",
+ "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": false,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n },\r\n \"etag\": \"\\\"7f03d423-0000-0100-0000-60761ac30000\\\"\"\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "9c260320-b5ce-4b18-a2a1-c4fdf2eac736"
+ "6df58a05-2178-4961-8008-43e5fc5e9ddf"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -104,23 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "db11fb80-b76a-4be7-b1f7-91ed900bd97f"
+ "8ce729df-e47d-46ba-800d-4f1244f1bd3b"
],
"x-ms-correlation-request-id": [
- "db11fb80-b76a-4be7-b1f7-91ed900bd97f"
+ "8ce729df-e47d-46ba-800d-4f1244f1bd3b"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213323Z:db11fb80-b76a-4be7-b1f7-91ed900bd97f"
+ "WESTUS2:20210413T222715Z:8ce729df-e47d-46ba-800d-4f1244f1bd3b"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -129,7 +123,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:33:22 GMT"
+ "Tue, 13 Apr 2021 22:27:15 GMT"
],
"Content-Length": [
"973"
@@ -141,7 +135,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"name\": \"4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"etag\": \"\\\"c300b02a-0000-0100-0000-5fd294200000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": false,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:33:20.0280526Z\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"name\": \"4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"etag\": \"\\\"7f03de23-0000-0100-0000-60761ac30000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": false,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:15.4780309Z\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -151,16 +145,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "9cade664-1c68-4dba-9bd4-dd811d66a273"
+ "6df58a05-2178-4961-8008-43e5fc5e9ddf"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -170,23 +164,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
"x-ms-request-id": [
- "4d31a7a0-0684-43ce-a913-20ca2317e5c2"
+ "4c042d83-2b03-475a-bad3-978fb6a92986"
],
"x-ms-correlation-request-id": [
- "4d31a7a0-0684-43ce-a913-20ca2317e5c2"
+ "4c042d83-2b03-475a-bad3-978fb6a92986"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213317Z:4d31a7a0-0684-43ce-a913-20ca2317e5c2"
+ "WESTUS2:20210413T222715Z:4c042d83-2b03-475a-bad3-978fb6a92986"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -195,10 +186,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:33:16 GMT"
+ "Tue, 13 Apr 2021 22:27:14 GMT"
],
"Content-Length": [
- "971"
+ "972"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -207,7 +198,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"name\": \"4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"etag\": \"\\\"c300402a-0000-0100-0000-5fd2941c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:33:14.669933Z\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"name\": \"4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"etag\": \"\\\"7f03d423-0000-0100-0000-60761ac30000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:14.7732563Z\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -217,16 +208,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "e1717ab4-11bd-4e84-bc24-9d4db7c9feac"
+ "ea455814-9af2-48fd-ad6f-8773908a1f24"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -236,23 +227,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11998"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11998"
+ ],
"x-ms-request-id": [
- "19535b78-8da5-4541-be75-5d701427c106"
+ "44146358-b11e-4571-9cdd-539e7c6ec9f3"
],
"x-ms-correlation-request-id": [
- "19535b78-8da5-4541-be75-5d701427c106"
+ "44146358-b11e-4571-9cdd-539e7c6ec9f3"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213324Z:19535b78-8da5-4541-be75-5d701427c106"
+ "WESTUS2:20210413T222715Z:44146358-b11e-4571-9cdd-539e7c6ec9f3"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -261,7 +249,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:33:23 GMT"
+ "Tue, 13 Apr 2021 22:27:15 GMT"
],
"Content-Length": [
"973"
@@ -273,7 +261,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"name\": \"4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"etag\": \"\\\"c300b02a-0000-0100-0000-5fd294200000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": false,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:33:20.0280526Z\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"name\": \"4037076e-479a-4d18-93f9-bcdb72f0c856\",\r\n \"etag\": \"\\\"7f03de23-0000-0100-0000-60761ac30000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": false,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:15.4780309Z\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -283,16 +271,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "15a35733-2cf0-439c-8973-618462789351"
+ "b8df9f72-bd8b-4324-8f39-6f45e0f0479a"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -302,23 +290,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "4ae8cac1-4dfd-458c-8cf9-2bd22df187fd"
+ "20c691b2-96f7-40b8-87da-35f1989e0a3d"
],
"x-ms-correlation-request-id": [
- "4ae8cac1-4dfd-458c-8cf9-2bd22df187fd"
+ "20c691b2-96f7-40b8-87da-35f1989e0a3d"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213325Z:4ae8cac1-4dfd-458c-8cf9-2bd22df187fd"
+ "WESTUS2:20210413T222715Z:20c691b2-96f7-40b8-87da-35f1989e0a3d"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -327,7 +312,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:33:24 GMT"
+ "Tue, 13 Apr 2021 22:27:15 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/ListAlertRules.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/ListAlertRules.json
index 16b3bf31e33a..c877033c00e1 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/ListAlertRules.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/ListAlertRules.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "0c51c1eb-6bed-4304-a29f-315d136ac4ca"
+ "e7c20042-e532-4e7a-9831-3bdaea3e2fc5"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "0abf4adf-85b3-4c83-9cf4-88511a3b5d65"
+ "95181470-3cac-46b1-9965-b6721d10bb73"
],
"x-ms-correlation-request-id": [
- "0abf4adf-85b3-4c83-9cf4-88511a3b5d65"
+ "95181470-3cac-46b1-9965-b6721d10bb73"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213447Z:0abf4adf-85b3-4c83-9cf4-88511a3b5d65"
+ "WESTUS2:20210413T222720Z:95181470-3cac-46b1-9965-b6721d10bb73"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:34:46 GMT"
+ "Tue, 13 Apr 2021 22:27:20 GMT"
],
"Content-Length": [
"972"
@@ -69,8 +66,8 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/3fefb3df-b5af-4bae-b3b9-2b32e7bb9fa9\",\r\n \"name\": \"3fefb3df-b5af-4bae-b3b9-2b32e7bb9fa9\",\r\n \"etag\": \"\\\"c3000b33-0000-0100-0000-5fd294770000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:33:47.0448304Z\"\r\n }\r\n}",
- "StatusCode": 201
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/3fefb3df-b5af-4bae-b3b9-2b32e7bb9fa9\",\r\n \"name\": \"3fefb3df-b5af-4bae-b3b9-2b32e7bb9fa9\",\r\n \"etag\": \"\\\"7f033024-0000-0100-0000-60761ac80000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:19.2574414Z\"\r\n }\r\n}",
+ "StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/3a516217-ec98-4bbf-8d00-c6d7d60095ff?api-version=2020-01-01",
@@ -79,16 +76,16 @@
"RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "2bfccad2-6ff1-4090-aa92-4b43d1c840f6"
+ "06aedbab-3138-4476-8de6-77fd0d7f7e0d"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -104,23 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "cdedfd38-1979-4b02-a2ea-84abdc70ced2"
+ "3f004cd5-d43e-4153-8003-bf62c4493fb8"
],
"x-ms-correlation-request-id": [
- "cdedfd38-1979-4b02-a2ea-84abdc70ced2"
+ "3f004cd5-d43e-4153-8003-bf62c4493fb8"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213452Z:cdedfd38-1979-4b02-a2ea-84abdc70ced2"
+ "WESTUS2:20210413T222721Z:3f004cd5-d43e-4153-8003-bf62c4493fb8"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -129,7 +123,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:34:52 GMT"
+ "Tue, 13 Apr 2021 22:27:20 GMT"
],
"Content-Length": [
"973"
@@ -141,8 +135,8 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/3a516217-ec98-4bbf-8d00-c6d7d60095ff\",\r\n \"name\": \"3a516217-ec98-4bbf-8d00-c6d7d60095ff\",\r\n \"etag\": \"\\\"c3009c33-0000-0100-0000-5fd2947c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:34:47.6156001Z\"\r\n }\r\n}",
- "StatusCode": 201
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/3a516217-ec98-4bbf-8d00-c6d7d60095ff\",\r\n \"name\": \"3a516217-ec98-4bbf-8d00-c6d7d60095ff\",\r\n \"etag\": \"\\\"7f033624-0000-0100-0000-60761ac90000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:20.9913232Z\"\r\n }\r\n}",
+ "StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules?api-version=2020-01-01",
@@ -151,16 +145,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "bb86b5bc-186d-4978-bd1e-fb889a91d326"
+ "996ca440-3c80-43ea-877c-1c093ea829ba"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -170,23 +164,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
"x-ms-request-id": [
- "767b7257-6146-429d-851f-d392da81cad3"
+ "3a9cf456-e027-49f4-a199-70666d01bbd7"
],
"x-ms-correlation-request-id": [
- "767b7257-6146-429d-851f-d392da81cad3"
+ "3a9cf456-e027-49f4-a199-70666d01bbd7"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213453Z:767b7257-6146-429d-851f-d392da81cad3"
+ "WESTUS2:20210413T222721Z:3a9cf456-e027-49f4-a199-70666d01bbd7"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -195,10 +186,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:34:52 GMT"
+ "Tue, 13 Apr 2021 22:27:20 GMT"
],
"Content-Length": [
- "12974"
+ "1958"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -207,7 +198,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/ae10bc30-f038-4774-969b-432ba97ac3dd\",\r\n \"name\": \"ae10bc30-f038-4774-969b-432ba97ac3dd\",\r\n \"etag\": \"\\\"ab002965-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center for IoT\",\r\n \"severitiesFilter\": null,\r\n \"displayNamesFilter\": null,\r\n \"displayNamesExcludeFilter\": null,\r\n \"displayName\": \"MSICposhTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": \"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"lastModifiedUtc\": \"2020-11-21T00:56:12.8145141Z\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/e1a91c5e-a4e8-466a-b801-585ca8d6f4d8\",\r\n \"name\": \"e1a91c5e-a4e8-466a-b801-585ca8d6f4d8\",\r\n \"etag\": \"\\\"ab002a65-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"High\",\r\n \"query\": \"let timeframe = 1d;\\nlet DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = '[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}';\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| where TimeGenerated >= ago(timeframe)\\n| parse Message with * '(' DNSName ')' * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(DnsEvents \\n| where TimeGenerated >= ago(timeframe) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DestinationIPAddress in (IPList) or DNSName in~ (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| where TimeGenerated >= ago(timeframe) \\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) or isnotempty(DNSName)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| where TimeGenerated >= ago(timeframe)\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account )\\n)\",\r\n \"queryFrequency\": \"P1D\",\r\n \"queryPeriod\": \"P1D\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 0,\r\n \"suppressionDuration\": \"PT5H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5H\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"eventGroupingSettings\": {\r\n \"aggregationKind\": \"SingleAlert\"\r\n },\r\n \"displayName\": \"Known Phosphorus group domains/IP\",\r\n \"enabled\": true,\r\n \"description\": \"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\r\n \"tactics\": [\r\n \"CommandAndControl\"\r\n ],\r\n \"alertRuleTemplateName\": \"155f40c6-610d-497d-85fc-3cf06ec13256\",\r\n \"lastModifiedUtc\": \"2020-11-19T21:10:56.4078943Z\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\",\r\n \"name\": \"209ed12a-e19a-4a05-9d81-e11d2be3cafa\",\r\n \"etag\": \"\\\"ab002b65-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Microsoft Defender Advanced Threat Protection\",\r\n \"severitiesFilter\": null,\r\n \"displayNamesFilter\": null,\r\n \"displayNamesExcludeFilter\": null,\r\n \"displayName\": \"Create incidents based on Microsoft Defender Advanced Threat Protection alerts\",\r\n \"enabled\": true,\r\n \"description\": \"Create incidents based on all alerts generated in Microsoft Defender Advanced Threat Protection\",\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": \"327cd4ed-ca42-454b-887c-54e1c91363c6\",\r\n \"lastModifiedUtc\": \"2020-11-14T05:52:58.9321595Z\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/e39e7c39-ae96-4a10-8382-94f8180d69c1\",\r\n \"name\": \"e39e7c39-ae96-4a10-8382-94f8180d69c1\",\r\n \"etag\": \"\\\"ab002e65-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Office 365 Advanced Threat Protection\",\r\n \"severitiesFilter\": [\r\n \"High\"\r\n ],\r\n \"displayNamesFilter\": [\r\n \"test\"\r\n ],\r\n \"displayNamesExcludeFilter\": null,\r\n \"displayName\": \"Create incidents based on Office 365 Advanced Threat Protection alerts\",\r\n \"enabled\": true,\r\n \"description\": \"Create incidents based on all alerts generated in Office 365 Advanced Threat Protection\",\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": \"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\r\n \"lastModifiedUtc\": \"2020-11-13T23:54:01.8367488Z\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/a42eb7d9-4a86-403d-8343-742e769da87e\",\r\n \"name\": \"a42eb7d9-4a86-403d-8343-742e769da87e\",\r\n \"etag\": \"\\\"0100ec68-0000-0100-0000-5fc7e2c80000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"MicrosoftSecurityIncidentCreation\",\r\n \"properties\": {\r\n \"productFilter\": \"Azure Security Center for IoT\",\r\n \"severitiesFilter\": null,\r\n \"displayNamesFilter\": null,\r\n \"displayNamesExcludeFilter\": null,\r\n \"displayName\": \"Create Incidents for Azure Security Center for IoT\",\r\n \"enabled\": true,\r\n \"description\": \"\",\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": \"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\r\n \"lastModifiedUtc\": \"2020-12-02T18:54:00.9631204Z\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/cf892586-4ed2-4efd-9a04-81f43bddb6ed\",\r\n \"name\": \"cf892586-4ed2-4efd-9a04-81f43bddb6ed\",\r\n \"etag\": \"\\\"c200c7d1-0000-0100-0000-5fd2907f0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:17:00.8574308Z\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/3fefb3df-b5af-4bae-b3b9-2b32e7bb9fa9\",\r\n \"name\": \"3fefb3df-b5af-4bae-b3b9-2b32e7bb9fa9\",\r\n \"etag\": \"\\\"c3000b33-0000-0100-0000-5fd294770000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:33:47.0448304Z\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/3a516217-ec98-4bbf-8d00-c6d7d60095ff\",\r\n \"name\": \"3a516217-ec98-4bbf-8d00-c6d7d60095ff\",\r\n \"etag\": \"\\\"c3009c33-0000-0100-0000-5fd2947c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:34:47.6156001Z\"\r\n }\r\n }\r\n ]\r\n}",
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/3fefb3df-b5af-4bae-b3b9-2b32e7bb9fa9\",\r\n \"name\": \"3fefb3df-b5af-4bae-b3b9-2b32e7bb9fa9\",\r\n \"etag\": \"\\\"7f033024-0000-0100-0000-60761ac80000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:19.2574414Z\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/3a516217-ec98-4bbf-8d00-c6d7d60095ff\",\r\n \"name\": \"3a516217-ec98-4bbf-8d00-c6d7d60095ff\",\r\n \"etag\": \"\\\"7f033624-0000-0100-0000-60761ac90000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:20.9913232Z\"\r\n }\r\n }\r\n ]\r\n}",
"StatusCode": 200
},
{
@@ -217,16 +208,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "c7973a5b-76af-4c10-b802-a0d7df57186c"
+ "6762c583-c8ce-4657-b8d0-696ce15abfb5"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -236,23 +227,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "0b66391e-e59e-4ae8-90f5-a6a924f8d9c1"
+ "0e1016f8-99b5-4908-81f8-979deacfe305"
],
"x-ms-correlation-request-id": [
- "0b66391e-e59e-4ae8-90f5-a6a924f8d9c1"
+ "0e1016f8-99b5-4908-81f8-979deacfe305"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213453Z:0b66391e-e59e-4ae8-90f5-a6a924f8d9c1"
+ "WESTUS2:20210413T222721Z:0e1016f8-99b5-4908-81f8-979deacfe305"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -261,7 +249,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:34:52 GMT"
+ "Tue, 13 Apr 2021 22:27:21 GMT"
],
"Content-Length": [
"2"
@@ -283,16 +271,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "5c2f7656-683f-4b60-9240-a137aba17098"
+ "99c7f295-05d2-4c16-a3ee-88d115cd90a1"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -302,23 +290,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14998"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14998"
+ ],
"x-ms-request-id": [
- "74421bf5-5ce0-4f9c-8276-d0565bbf2d3a"
+ "b9f39266-ef89-4457-8aac-c9173a3c27c2"
],
"x-ms-correlation-request-id": [
- "74421bf5-5ce0-4f9c-8276-d0565bbf2d3a"
+ "b9f39266-ef89-4457-8aac-c9173a3c27c2"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213453Z:74421bf5-5ce0-4f9c-8276-d0565bbf2d3a"
+ "WESTUS2:20210413T222721Z:b9f39266-ef89-4457-8aac-c9173a3c27c2"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -327,7 +312,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:34:52 GMT"
+ "Tue, 13 Apr 2021 22:27:21 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/RemoveAlertRule.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/RemoveAlertRule.json
index 215cda8f5259..995c77be5c49 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/RemoveAlertRule.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/RemoveAlertRule.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "4e1cf31e-1395-4ea7-bc81-f03dd5e3e7bb"
+ "dba7b2a9-0974-4c43-9331-3e97f0f43e7f"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "e2f54302-4014-451f-94cc-2a71b56eb2e5"
+ "30239bd5-2a56-430b-9111-c4c0136985ea"
],
"x-ms-correlation-request-id": [
- "e2f54302-4014-451f-94cc-2a71b56eb2e5"
+ "30239bd5-2a56-430b-9111-c4c0136985ea"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211659Z:e2f54302-4014-451f-94cc-2a71b56eb2e5"
+ "WESTUS2:20210413T222717Z:30239bd5-2a56-430b-9111-c4c0136985ea"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,10 +54,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:16:58 GMT"
+ "Tue, 13 Apr 2021 22:27:17 GMT"
],
"Content-Length": [
- "971"
+ "972"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -69,8 +66,8 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/c0a45694-5077-4fd0-a81c-95de70659378\",\r\n \"name\": \"c0a45694-5077-4fd0-a81c-95de70659378\",\r\n \"etag\": \"\\\"c20003cd-0000-0100-0000-5fd2904b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:16:13.186102Z\"\r\n }\r\n}",
- "StatusCode": 201
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/c0a45694-5077-4fd0-a81c-95de70659378\",\r\n \"name\": \"c0a45694-5077-4fd0-a81c-95de70659378\",\r\n \"etag\": \"\\\"7f030124-0000-0100-0000-60761ac50000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:17.1659521Z\"\r\n }\r\n}",
+ "StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/c0a45694-5077-4fd0-a81c-95de70659378?api-version=2020-01-01",
@@ -79,16 +76,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "15231051-459e-4181-bbdd-22dd90ff4e7c"
+ "299b767b-f751-49e3-ac62-4f5411326a53"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -98,23 +95,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "650f086f-2bde-42b5-97ae-711976b56288"
+ "b8c356df-08b2-4dfe-8f9c-bb83f8e2ecb7"
],
"x-ms-correlation-request-id": [
- "650f086f-2bde-42b5-97ae-711976b56288"
+ "b8c356df-08b2-4dfe-8f9c-bb83f8e2ecb7"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211659Z:650f086f-2bde-42b5-97ae-711976b56288"
+ "WESTUS2:20210413T222717Z:b8c356df-08b2-4dfe-8f9c-bb83f8e2ecb7"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -123,7 +117,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:16:58 GMT"
+ "Tue, 13 Apr 2021 22:27:17 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/UpdateAlertRule.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/UpdateAlertRule.json
index 4108392e10fe..ad14a5fbd453 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/UpdateAlertRule.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.AlertRulesTests/UpdateAlertRule.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "412d12b7-a2f8-4703-9ea3-99ce9ebf5a00"
+ "523c2267-14a5-46e0-8a8d-d69a3493c166"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "1c19c5ce-eee3-4c0d-9ae1-78706737ea31"
+ "e33eef10-45d9-474a-b761-3ad1a63eb339"
],
"x-ms-correlation-request-id": [
- "1c19c5ce-eee3-4c0d-9ae1-78706737ea31"
+ "e33eef10-45d9-474a-b761-3ad1a63eb339"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T212027Z:1c19c5ce-eee3-4c0d-9ae1-78706737ea31"
+ "WESTUS2:20210413T222725Z:e33eef10-45d9-474a-b761-3ad1a63eb339"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,10 +54,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:20:27 GMT"
+ "Tue, 13 Apr 2021 22:27:24 GMT"
],
"Content-Length": [
- "971"
+ "972"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -69,26 +66,26 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"name\": \"51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"etag\": \"\\\"c2000ee0-0000-0100-0000-5fd2911b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:19:33.400946Z\"\r\n }\r\n}",
- "StatusCode": 201
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"name\": \"51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"etag\": \"\\\"7f037f24-0000-0100-0000-60761acd0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:23.2491464Z\"\r\n }\r\n}",
+ "StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/51d3e29d-5e17-48f3-ab1f-68c0dcd010f4?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9hbGVydFJ1bGVzLzUxZDNlMjlkLTVlMTctNDhmMy1hYjFmLTY4YzBkY2QwMTBmND9hcGktdmVyc2lvbj0yMDIwLTAxLTAx",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": false,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n },\r\n \"etag\": \"\\\"c2000ee0-0000-0100-0000-5fd2911b0000\\\"\"\r\n}",
+ "RequestBody": "{\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"severity\": \"Low\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": false,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false\r\n },\r\n \"etag\": \"\\\"7f037f24-0000-0100-0000-60761acd0000\\\"\"\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "90d61734-5ae9-438a-91c8-df6fd08a1c17"
+ "7ed38221-ef94-4d2c-87dc-dcabd731684b"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -104,23 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "b75acf2d-4d43-4d0f-8a35-9520ccd82b50"
+ "a7b5cbf1-c1de-42a3-9258-61bd81dbefec"
],
"x-ms-correlation-request-id": [
- "b75acf2d-4d43-4d0f-8a35-9520ccd82b50"
+ "a7b5cbf1-c1de-42a3-9258-61bd81dbefec"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T212028Z:b75acf2d-4d43-4d0f-8a35-9520ccd82b50"
+ "WESTUS2:20210413T222725Z:a7b5cbf1-c1de-42a3-9258-61bd81dbefec"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -129,7 +123,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:20:27 GMT"
+ "Tue, 13 Apr 2021 22:27:25 GMT"
],
"Content-Length": [
"973"
@@ -141,7 +135,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"name\": \"51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"etag\": \"\\\"c2001ee0-0000-0100-0000-5fd2911c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": false,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:20:28.1710289Z\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"name\": \"51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"etag\": \"\\\"7f038524-0000-0100-0000-60761acd0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": false,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:25.3970326Z\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -151,16 +145,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "1d8f6db3-16d7-4081-a56f-c58778d44bb4"
+ "7ed38221-ef94-4d2c-87dc-dcabd731684b"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -170,23 +164,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11998"
+ ],
"x-ms-request-id": [
- "69cd6d8f-6131-4a43-9ba5-9b6c3e80f575"
+ "ba9f3c2a-c929-442d-9bd3-90f6a4a857ea"
],
"x-ms-correlation-request-id": [
- "69cd6d8f-6131-4a43-9ba5-9b6c3e80f575"
+ "ba9f3c2a-c929-442d-9bd3-90f6a4a857ea"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T212028Z:69cd6d8f-6131-4a43-9ba5-9b6c3e80f575"
+ "WESTUS2:20210413T222725Z:ba9f3c2a-c929-442d-9bd3-90f6a4a857ea"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -195,10 +186,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:20:27 GMT"
+ "Tue, 13 Apr 2021 22:27:24 GMT"
],
"Content-Length": [
- "971"
+ "972"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -207,7 +198,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"name\": \"51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"etag\": \"\\\"c2000ee0-0000-0100-0000-5fd2911b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2020-12-10T21:19:33.400946Z\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"name\": \"51d3e29d-5e17-48f3-ab1f-68c0dcd010f4\",\r\n \"etag\": \"\\\"7f037f24-0000-0100-0000-60761acd0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/alertRules\",\r\n \"kind\": \"Scheduled\",\r\n \"properties\": {\r\n \"incidentConfiguration\": {\r\n \"createIncident\": true,\r\n \"groupingConfiguration\": {\r\n \"enabled\": false,\r\n \"reopenClosedIncident\": false,\r\n \"lookbackDuration\": \"PT5M\",\r\n \"entitiesMatchingMethod\": \"All\",\r\n \"groupByEntities\": []\r\n }\r\n },\r\n \"severity\": \"Low\",\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"queryFrequency\": \"PT5H\",\r\n \"queryPeriod\": \"PT5H\",\r\n \"triggerOperator\": \"GreaterThan\",\r\n \"triggerThreshold\": 10,\r\n \"suppressionDuration\": \"PT1H\",\r\n \"suppressionEnabled\": false,\r\n \"displayName\": \"PoshModuleTest\",\r\n \"enabled\": true,\r\n \"description\": null,\r\n \"tactics\": null,\r\n \"alertRuleTemplateName\": null,\r\n \"lastModifiedUtc\": \"2021-04-13T22:27:23.2491464Z\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -217,16 +208,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "44dabf1e-8f58-40b6-92ce-a008f35abbb0"
+ "95d87797-a10d-47b1-a6ff-979d813bff22"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -236,23 +227,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
- "api-supported-versions": [
- "2019-01-01-preview"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "3cab1b85-c4d6-4dd5-a1cb-97c460e54436"
+ "5c90648a-6d7f-4498-914b-a634f8d3ade0"
],
"x-ms-correlation-request-id": [
- "3cab1b85-c4d6-4dd5-a1cb-97c460e54436"
+ "5c90648a-6d7f-4498-914b-a634f8d3ade0"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T212028Z:3cab1b85-c4d6-4dd5-a1cb-97c460e54436"
+ "WESTUS2:20210413T222725Z:5c90648a-6d7f-4498-914b-a634f8d3ade0"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -261,7 +249,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:20:27 GMT"
+ "Tue, 13 Apr 2021 22:27:25 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Create.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Create.json
index b6c81cbd1f51..87bad4297d30 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Create.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Create.json
@@ -4,19 +4,19 @@
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/3a1bd654-9986-4fb9-8584-36f9aba00356?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvM2ExYmQ2NTQtOTk4Ni00ZmI5LTg1ODQtMzZmOWFiYTAwMzU2P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2020-12-10T21:13:18.6069112Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2021-04-13T22:27:34.0971421Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "2a941b16-0e14-4470-ada8-a0c0ad18a3b4"
+ "c02b34b0-3729-4eb0-966d-97f2f6078d44"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "e55a0bd4-e580-406c-8655-fa4e39cb9b0a"
+ "239cc32f-4234-4994-a351-4e7218e443c9"
],
"x-ms-correlation-request-id": [
- "e55a0bd4-e580-406c-8655-fa4e39cb9b0a"
+ "239cc32f-4234-4994-a351-4e7218e443c9"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211319Z:e55a0bd4-e580-406c-8655-fa4e39cb9b0a"
+ "WESTUS2:20210413T222735Z:239cc32f-4234-4994-a351-4e7218e443c9"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:19 GMT"
+ "Tue, 13 Apr 2021 22:27:35 GMT"
],
"Content-Length": [
"935"
@@ -69,7 +66,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/3a1bd654-9986-4fb9-8584-36f9aba00356\",\r\n \"name\": \"3a1bd654-9986-4fb9-8584-36f9aba00356\",\r\n \"etag\": \"\\\"240092d7-0000-0100-0000-5fd28f6f0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:13:19.1440058+00:00\",\r\n \"updated\": \"2020-12-10T21:13:19+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:13:19.1440058+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/3a1bd654-9986-4fb9-8584-36f9aba00356\",\r\n \"name\": \"3a1bd654-9986-4fb9-8584-36f9aba00356\",\r\n \"etag\": \"\\\"230152cd-0000-0100-0000-60761ad60000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2021-04-13T22:27:34.7455457+00:00\",\r\n \"updated\": \"2021-04-13T22:27:34+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2021-04-13T22:27:34.7455457+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -79,16 +76,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "fc6c0c8a-978a-4229-b550-57ee1e83aed9"
+ "53f6e57f-093b-42dd-9efe-709458ee87aa"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -98,23 +95,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14998"
+ ],
"x-ms-request-id": [
- "6d181d77-7fb0-4c25-810f-2ebbd74dfa2a"
+ "ed0b11d3-17dc-4a68-9c23-14a34140e54c"
],
"x-ms-correlation-request-id": [
- "6d181d77-7fb0-4c25-810f-2ebbd74dfa2a"
+ "ed0b11d3-17dc-4a68-9c23-14a34140e54c"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211320Z:6d181d77-7fb0-4c25-810f-2ebbd74dfa2a"
+ "WESTUS2:20210413T222736Z:ed0b11d3-17dc-4a68-9c23-14a34140e54c"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -123,7 +117,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:20 GMT"
+ "Tue, 13 Apr 2021 22:27:36 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Get.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Get.json
index 89156d0d3415..fd2f6c991f39 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Get.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Get.json
@@ -4,25 +4,25 @@
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/2032256f-9912-476d-805b-ea3f60243ac8?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvMjAzMjI1NmYtOTkxMi00NzZkLTgwNWItZWEzZjYwMjQzYWM4P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2020-12-10T21:13:33.936393Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2021-04-13T22:27:54.5960219Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "3a31a54b-ac78-4f5c-a811-35a2d5ce6e2b"
+ "5f8c745c-b6db-429a-854c-9bf0dc6528cc"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
],
"Content-Length": [
- "152"
+ "153"
]
},
"ResponseHeaders": {
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "1908d559-0608-43de-afc7-86ef311a1f64"
+ "12c097c2-894f-4e97-bece-14d22db2da27"
],
"x-ms-correlation-request-id": [
- "1908d559-0608-43de-afc7-86ef311a1f64"
+ "12c097c2-894f-4e97-bece-14d22db2da27"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211335Z:1908d559-0608-43de-afc7-86ef311a1f64"
+ "WESTUS2:20210413T222756Z:12c097c2-894f-4e97-bece-14d22db2da27"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:35 GMT"
+ "Tue, 13 Apr 2021 22:27:55 GMT"
],
"Content-Length": [
"933"
@@ -69,7 +66,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/2032256f-9912-476d-805b-ea3f60243ac8\",\r\n \"name\": \"2032256f-9912-476d-805b-ea3f60243ac8\",\r\n \"etag\": \"\\\"2400dbd7-0000-0100-0000-5fd28f7e0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:13:34.478141+00:00\",\r\n \"updated\": \"2020-12-10T21:13:34+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:13:34.478141+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/2032256f-9912-476d-805b-ea3f60243ac8\",\r\n \"name\": \"2032256f-9912-476d-805b-ea3f60243ac8\",\r\n \"etag\": \"\\\"23011ecf-0000-0100-0000-60761aeb0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2021-04-13T22:27:55.330819+00:00\",\r\n \"updated\": \"2021-04-13T22:27:55+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2021-04-13T22:27:55.330819+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -79,16 +76,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "dcd74500-efd0-460f-8d23-66bbfa9d8505"
+ "a62a33c6-b3eb-43ce-a1fd-c7f4858bd6d1"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -98,23 +95,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
"x-ms-request-id": [
- "7bff831b-e366-4a8b-bcf3-b770986515a6"
+ "8b1057e3-89ed-4852-8681-55bc0796972d"
],
"x-ms-correlation-request-id": [
- "7bff831b-e366-4a8b-bcf3-b770986515a6"
+ "8b1057e3-89ed-4852-8681-55bc0796972d"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211335Z:7bff831b-e366-4a8b-bcf3-b770986515a6"
+ "WESTUS2:20210413T222756Z:8b1057e3-89ed-4852-8681-55bc0796972d"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -123,7 +117,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:35 GMT"
+ "Tue, 13 Apr 2021 22:27:56 GMT"
],
"Content-Length": [
"940"
@@ -135,7 +129,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/2032256f-9912-476d-805b-ea3f60243ac8\",\r\n \"name\": \"2032256f-9912-476d-805b-ea3f60243ac8\",\r\n \"etag\": \"\\\"2400dbd7-0000-0100-0000-5fd28f7e0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:13:34.478141+00:00\",\r\n \"updated\": \"2020-12-10T21:13:34.478141+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:13:34.478141+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/2032256f-9912-476d-805b-ea3f60243ac8\",\r\n \"name\": \"2032256f-9912-476d-805b-ea3f60243ac8\",\r\n \"etag\": \"\\\"23011ecf-0000-0100-0000-60761aeb0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2021-04-13T22:27:55.330819+00:00\",\r\n \"updated\": \"2021-04-13T22:27:55.330819+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2021-04-13T22:27:55.330819+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -145,16 +139,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "d7245575-ceee-4253-9d45-61815c0c8b0b"
+ "6bc3d667-9c25-4083-8c14-905599dfe6cd"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -164,23 +158,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "f3385ebf-0b51-4f76-ad8d-8a6fc6705b3a"
+ "824720ac-8e54-4e4b-9771-9571c9104348"
],
"x-ms-correlation-request-id": [
- "f3385ebf-0b51-4f76-ad8d-8a6fc6705b3a"
+ "824720ac-8e54-4e4b-9771-9571c9104348"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211336Z:f3385ebf-0b51-4f76-ad8d-8a6fc6705b3a"
+ "WESTUS2:20210413T222757Z:824720ac-8e54-4e4b-9771-9571c9104348"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -189,7 +180,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:36 GMT"
+ "Tue, 13 Apr 2021 22:27:57 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/InputObject.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/InputObject.json
index 8770e421734c..02cd2cfea61e 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/InputObject.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/InputObject.json
@@ -4,19 +4,19 @@
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/4324441a-de38-42c2-83dd-bb93db929e7c?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvNDMyNDQ0MWEtZGUzOC00MmMyLTgzZGQtYmI5M2RiOTI5ZTdjP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2020-12-10T21:37:53.5616847Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2021-04-13T22:27:50.6228487Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "51552ad0-8288-4bb0-9ab8-4d123071a673"
+ "c8190df1-aa00-48cd-89ec-21cf764cd9e0"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "a7701286-8704-4796-a4e6-e1477e080b5a"
+ "eafcb6d4-f8a8-4a5a-a35c-a20309da186b"
],
"x-ms-correlation-request-id": [
- "a7701286-8704-4796-a4e6-e1477e080b5a"
+ "eafcb6d4-f8a8-4a5a-a35c-a20309da186b"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213754Z:a7701286-8704-4796-a4e6-e1477e080b5a"
+ "WESTUS2:20210413T222751Z:eafcb6d4-f8a8-4a5a-a35c-a20309da186b"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:37:54 GMT"
+ "Tue, 13 Apr 2021 22:27:51 GMT"
],
"Content-Length": [
"935"
@@ -69,26 +66,26 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"name\": \"4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"etag\": \"\\\"24005cec-0000-0100-0000-5fd295310000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:37:53.9789403+00:00\",\r\n \"updated\": \"2020-12-10T21:37:53+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:37:53.9789403+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"name\": \"4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"etag\": \"\\\"2301c2ce-0000-0100-0000-60761ae70000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2021-04-13T22:27:51.0392928+00:00\",\r\n \"updated\": \"2021-04-13T22:27:51+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2021-04-13T22:27:51.0392928+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/4324441a-de38-42c2-83dd-bb93db929e7c?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvNDMyNDQ0MWEtZGUzOC00MmMyLTgzZGQtYmI5M2RiOTI5ZTdjP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"labels\": [],\r\n \"notes\": \"testnotes\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n },\r\n \"etag\": \"\\\"24005cec-0000-0100-0000-5fd295310000\\\"\"\r\n}",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"labels\": [],\r\n \"notes\": \"testnotes\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n },\r\n \"etag\": \"\\\"2301c2ce-0000-0100-0000-60761ae70000\\\"\"\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "6ee42e2c-d97b-48bb-9a77-0c6e70a8c387"
+ "58f496e9-f216-4cd3-8c2f-9a9ad0dad60c"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -104,23 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "e15af874-a7d9-4365-9ded-53fb52efabad"
+ "c9fa9198-5586-44d1-bf2d-d6cbcacfc15b"
],
"x-ms-correlation-request-id": [
- "e15af874-a7d9-4365-9ded-53fb52efabad"
+ "c9fa9198-5586-44d1-bf2d-d6cbcacfc15b"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213755Z:e15af874-a7d9-4365-9ded-53fb52efabad"
+ "WESTUS2:20210413T222752Z:c9fa9198-5586-44d1-bf2d-d6cbcacfc15b"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -129,7 +123,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:37:55 GMT"
+ "Tue, 13 Apr 2021 22:27:52 GMT"
],
"Content-Length": [
"955"
@@ -141,7 +135,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"name\": \"4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"etag\": \"\\\"24005dec-0000-0100-0000-5fd295330000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:37:53.9789403+00:00\",\r\n \"updated\": \"2020-12-10T21:37:55+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:37:55.2600476+00:00\",\r\n \"notes\": \"testnotes\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"name\": \"4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"etag\": \"\\\"2301dfce-0000-0100-0000-60761ae80000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2021-04-13T22:27:51.0392928+00:00\",\r\n \"updated\": \"2021-04-13T22:27:52+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2021-04-13T22:27:52.0451606+00:00\",\r\n \"notes\": \"testnotes\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -151,16 +145,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "177719f6-2405-43fd-a488-ffdc4e965df7"
+ "58f496e9-f216-4cd3-8c2f-9a9ad0dad60c"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -170,23 +164,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
"x-ms-request-id": [
- "74c4c48d-35e1-4dec-be0c-d2187f6c9f3b"
+ "7d73413f-d949-4325-aa1b-5bf56a8618df"
],
"x-ms-correlation-request-id": [
- "74c4c48d-35e1-4dec-be0c-d2187f6c9f3b"
+ "7d73413f-d949-4325-aa1b-5bf56a8618df"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213755Z:74c4c48d-35e1-4dec-be0c-d2187f6c9f3b"
+ "WESTUS2:20210413T222751Z:7d73413f-d949-4325-aa1b-5bf56a8618df"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -195,7 +186,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:37:54 GMT"
+ "Tue, 13 Apr 2021 22:27:51 GMT"
],
"Content-Length": [
"943"
@@ -207,7 +198,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"name\": \"4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"etag\": \"\\\"24005cec-0000-0100-0000-5fd295310000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:37:53.9789403+00:00\",\r\n \"updated\": \"2020-12-10T21:37:53.9789403+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:37:53.9789403+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"name\": \"4324441a-de38-42c2-83dd-bb93db929e7c\",\r\n \"etag\": \"\\\"2301c2ce-0000-0100-0000-60761ae70000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2021-04-13T22:27:51.0392928+00:00\",\r\n \"updated\": \"2021-04-13T22:27:51.0392928+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2021-04-13T22:27:51.0392928+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -217,16 +208,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "19a9c6a1-bfa7-41d4-9281-079bdd5ad7e9"
+ "0fff8803-a8a2-4fda-8ba2-bf4950b259a3"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -236,23 +227,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "082677e0-758d-4e75-89ba-cdc535d0938b"
+ "469b6a43-ea61-40d0-8b18-7079ba4586ac"
],
"x-ms-correlation-request-id": [
- "082677e0-758d-4e75-89ba-cdc535d0938b"
+ "469b6a43-ea61-40d0-8b18-7079ba4586ac"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213756Z:082677e0-758d-4e75-89ba-cdc535d0938b"
+ "WESTUS2:20210413T222753Z:469b6a43-ea61-40d0-8b18-7079ba4586ac"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -261,7 +249,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:37:56 GMT"
+ "Tue, 13 Apr 2021 22:27:53 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/List.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/List.json
index ea1b36fe22a0..14e379976458 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/List.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/List.json
@@ -4,25 +4,25 @@
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/a85e3b3b-c95e-4f8d-b5d6-0e9bcbd2e664?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvYTg1ZTNiM2ItYzk1ZS00ZjhkLWI1ZDYtMGU5YmNiZDJlNjY0P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2020-12-10T21:13:24.551321Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2021-04-13T22:27:40.8459667Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "4efd54fd-3b13-4188-85b2-972a19c35536"
+ "ef402b85-4384-41eb-97ca-4f2b0043bde2"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
],
"Content-Length": [
- "152"
+ "153"
]
},
"ResponseHeaders": {
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "53e9f54b-7f49-4450-bc46-b968bd59b5ad"
+ "a737d5dc-8125-4f1b-942f-ac5cd94c0c1e"
],
"x-ms-correlation-request-id": [
- "53e9f54b-7f49-4450-bc46-b968bd59b5ad"
+ "a737d5dc-8125-4f1b-942f-ac5cd94c0c1e"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211325Z:53e9f54b-7f49-4450-bc46-b968bd59b5ad"
+ "WESTUS2:20210413T222742Z:a737d5dc-8125-4f1b-942f-ac5cd94c0c1e"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:25 GMT"
+ "Tue, 13 Apr 2021 22:27:41 GMT"
],
"Content-Length": [
"935"
@@ -69,26 +66,26 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/a85e3b3b-c95e-4f8d-b5d6-0e9bcbd2e664\",\r\n \"name\": \"a85e3b3b-c95e-4f8d-b5d6-0e9bcbd2e664\",\r\n \"etag\": \"\\\"2400add7-0000-0100-0000-5fd28f750000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:13:25.1499316+00:00\",\r\n \"updated\": \"2020-12-10T21:13:25+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:13:25.1499316+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/a85e3b3b-c95e-4f8d-b5d6-0e9bcbd2e664\",\r\n \"name\": \"a85e3b3b-c95e-4f8d-b5d6-0e9bcbd2e664\",\r\n \"etag\": \"\\\"2301f3cd-0000-0100-0000-60761add0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2021-04-13T22:27:41.4719683+00:00\",\r\n \"updated\": \"2021-04-13T22:27:41+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2021-04-13T22:27:41.4719683+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/91c29052-8ec9-4395-ad6c-e5c6cf562eec?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvOTFjMjkwNTItOGVjOS00Mzk1LWFkNmMtZTVjNmNmNTYyZWVjP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2020-12-10T21:13:25.9049574Z\",\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2021-04-13T22:27:42.0706829Z\",\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "22cae724-713b-4b04-86ab-0062e002dab1"
+ "29102b36-bbc3-44c9-881f-ea6eeffec81f"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -104,23 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "2034e179-d2cd-4950-b2a6-210a99618680"
+ "ef40d186-8296-46b7-b505-e529e841c151"
],
"x-ms-correlation-request-id": [
- "2034e179-d2cd-4950-b2a6-210a99618680"
+ "ef40d186-8296-46b7-b505-e529e841c151"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211326Z:2034e179-d2cd-4950-b2a6-210a99618680"
+ "WESTUS2:20210413T222743Z:ef40d186-8296-46b7-b505-e529e841c151"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -129,10 +123,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:26 GMT"
+ "Tue, 13 Apr 2021 22:27:42 GMT"
],
"Content-Length": [
- "934"
+ "936"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -141,7 +135,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/91c29052-8ec9-4395-ad6c-e5c6cf562eec\",\r\n \"name\": \"91c29052-8ec9-4395-ad6c-e5c6cf562eec\",\r\n \"etag\": \"\\\"2400b4d7-0000-0100-0000-5fd28f760000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"created\": \"2020-12-10T21:13:26.054093+00:00\",\r\n \"updated\": \"2020-12-10T21:13:26+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:13:26.054093+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/91c29052-8ec9-4395-ad6c-e5c6cf562eec\",\r\n \"name\": \"91c29052-8ec9-4395-ad6c-e5c6cf562eec\",\r\n \"etag\": \"\\\"230104ce-0000-0100-0000-60761ade0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"created\": \"2021-04-13T22:27:42.4246514+00:00\",\r\n \"updated\": \"2021-04-13T22:27:42+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2021-04-13T22:27:42.4246514+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -151,16 +145,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "41059472-2156-4d2c-a45c-052c3f366318"
+ "822a90df-e144-4393-af1c-2c816fd77949"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -170,23 +164,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11993"
+ ],
"x-ms-request-id": [
- "5fd815a1-281f-4f00-87f8-f73f2958de85"
+ "b27836a0-cc5b-4839-a224-cfc04aee4de4"
],
"x-ms-correlation-request-id": [
- "5fd815a1-281f-4f00-87f8-f73f2958de85"
+ "b27836a0-cc5b-4839-a224-cfc04aee4de4"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211327Z:5fd815a1-281f-4f00-87f8-f73f2958de85"
+ "WESTUS2:20210413T222743Z:b27836a0-cc5b-4839-a224-cfc04aee4de4"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -195,10 +186,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:26 GMT"
+ "Tue, 13 Apr 2021 22:27:42 GMT"
],
"Content-Length": [
- "43151"
+ "1900"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -207,7 +198,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/802ebf0f-b9e2-4709-8cf9-2cad46d41596\",\r\n \"name\": \"802ebf0f-b9e2-4709-8cf9-2cad46d41596\",\r\n \"etag\": \"\\\"7900bf62-0000-0100-0000-5fc433650000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-21T00:48:26.3295499+00:00\",\r\n \"updated\": \"2020-11-29T23:48:53.377526+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-11-21T00:48:26.3295499+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/f67b4895-0a57-4840-a325-40aad9e7956e\",\r\n \"name\": \"f67b4895-0a57-4840-a325-40aad9e7956e\",\r\n \"etag\": \"\\\"2a009d97-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"created\": \"2020-11-21T00:48:27.3713316+00:00\",\r\n \"updated\": \"2020-11-21T00:48:27.3713316+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-21T00:48:27.3713316+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/128f0300-48d8-4d47-8c38-f592c44fde8a\",\r\n \"name\": \"128f0300-48d8-4d47-8c38-f592c44fde8a\",\r\n \"etag\": \"\\\"2a009f97-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-21T00:47:38.2998322+00:00\",\r\n \"updated\": \"2020-11-21T00:47:38.2998322+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-21T00:47:38.2998322+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/4ecfb467-df14-408c-a412-5cf1e356e453\",\r\n \"name\": \"4ecfb467-df14-408c-a412-5cf1e356e453\",\r\n \"etag\": \"\\\"2a009e97-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-21T01:13:53.8513708+00:00\",\r\n \"updated\": \"2020-11-21T01:13:53.8513708+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-21T01:13:53.8513708+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/a006f83b-4cf9-4288-8c8b-9265cf9dce06\",\r\n \"name\": \"a006f83b-4cf9-4288-8c8b-9265cf9dce06\",\r\n \"etag\": \"\\\"2a00a097-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-21T01:13:12.9332935+00:00\",\r\n \"updated\": \"2020-11-21T01:13:12.9332935+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-21T01:13:12.9332935+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/28da9a9c-df57-4cff-9edb-dbfdbb40d612\",\r\n \"name\": \"28da9a9c-df57-4cff-9edb-dbfdbb40d612\",\r\n \"etag\": \"\\\"2a00a197-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"created\": \"2020-11-21T00:47:39.6301262+00:00\",\r\n \"updated\": \"2020-11-21T00:47:39.6301262+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-21T00:47:39.6301262+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/53307567-1c0f-4477-9bac-bc1bccc9e5a3\",\r\n \"name\": \"53307567-1c0f-4477-9bac-bc1bccc9e5a3\",\r\n \"etag\": \"\\\"2a00a297-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-21T00:46:29.8471652+00:00\",\r\n \"updated\": \"2020-11-21T00:46:29.8471652+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-11-21T00:46:29.8471652+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/9311e1d4-8142-4da0-977e-a4931bd73d6f\",\r\n \"name\": \"9311e1d4-8142-4da0-977e-a4931bd73d6f\",\r\n \"etag\": \"\\\"2a00a397-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"SigninLogs - a4931bd73d6f\",\r\n \"created\": \"2020-11-19T00:01:16.0096502+00:00\",\r\n \"updated\": \"2020-11-19T00:01:16.0096502+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-11-19T00:01:16.0096502+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SigninLogs\\n\",\r\n \"queryResult\": \"{\\\"TenantId\\\":\\\"581abdd1-9710-484b-867d-a69495aab7f5\\\",\\\"SourceSystem\\\":\\\"Azure AD\\\",\\\"TimeGenerated\\\":\\\"2020-11-18T22:33:03.473Z\\\",\\\"ResourceId\\\":\\\"/tenants/5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1.0\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"8ea7b7c1-e974-4a4e-b9ee-80712edb1bee\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity\\\":\\\"On-Premises Directory Synchronization Service Account\\\",\\\"Level\\\":\\\"4\\\",\\\"Location\\\":\\\"US\\\",\\\"AlternateSignInName\\\":\\\"Sync_ContosoDc_a8016d9ed6f4@buildseccxpninja.onmicrosoft.com\\\",\\\"AppDisplayName\\\":\\\"Microsoft Azure Active Directory Connect\\\",\\\"AppId\\\":\\\"cb1056e2-e479-49de-ae31-7812af012ed8\\\",\\\"AuthenticationDetails\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2020-11-18T22:33:03.4737768+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"PHS\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethodDetail\\\\\\\": \\\\\\\"\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary Authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed\\\":\\\"\\\",\\\"AuthenticationProcessingDetails\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies\\\":\\\"[]\\\",\\\"ClientAppUsed\\\":\\\"Mobile Apps and Desktop clients\\\",\\\"ConditionalAccessPolicies\\\":\\\"[{\\\\\\\"id\\\\\\\":\\\\\\\"009a2a41-4712-4d63-be23-f9f67ad382b9\\\\\\\",\\\\\\\"displayName\\\\\\\":\\\\\\\"Sarahzin: Airlift Test MCAS CAAC\\\\\\\",\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"enforcedSessionControls\\\\\\\":[\\\\\\\"CloudAppSecurity\\\\\\\"],\\\\\\\"result\\\\\\\":\\\\\\\"notApplied\\\\\\\",\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"conditionsNotSatisfied\\\\\\\":1},{\\\\\\\"id\\\\\\\":\\\\\\\"3142390b-7ec6-485a-b070-bb5cfc93005d\\\\\\\",\\\\\\\"displayName\\\\\\\":\\\\\\\"MFA\\\\\\\",\\\\\\\"enforcedGrantControls\\\\\\\":[\\\\\\\"Mfa\\\\\\\"],\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"result\\\\\\\":\\\\\\\"reportOnlyInterrupted\\\\\\\",\\\\\\\"conditionsSatisfied\\\\\\\":3,\\\\\\\"conditionsNotSatisfied\\\\\\\":0}]\\\",\\\"ConditionalAccessStatus\\\":\\\"notApplied\\\",\\\"CreatedDateTime\\\":\\\"2020-11-18T22:33:03Z\\\",\\\"DeviceDetail\\\":\\\"{\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 8\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Rich Client 5.2.2.0\\\\\\\"}\\\",\\\"IsInteractive\\\":\\\"false\\\",\\\"Id\\\":\\\"82d5951c-62e7-4007-b838-0af159402c00\\\",\\\"IPAddress\\\":\\\"13.68.147.150\\\",\\\"IsRisky\\\":\\\"\\\",\\\"LocationDetails\\\":\\\"{\\\\\\\"city\\\\\\\":\\\\\\\"Washington\\\\\\\",\\\\\\\"state\\\\\\\":\\\\\\\"Virginia\\\\\\\",\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"US\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"latitude\\\\\\\":38.7130012512207,\\\\\\\"longitude\\\\\\\":-78.15899658203125}}\\\",\\\"MfaDetail\\\":\\\"\\\",\\\"NetworkLocationDetails\\\":\\\"[]\\\",\\\"OriginalRequestId\\\":\\\"82d5951c-62e7-4007-b838-0af159402c00\\\",\\\"ProcessingTimeInMilliseconds\\\":\\\"143\\\",\\\"RiskDetail\\\":\\\"none\\\",\\\"RiskEventTypes\\\":\\\"[]\\\",\\\"RiskEventTypes_V2\\\":\\\"[]\\\",\\\"RiskLevelAggregated\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn\\\":\\\"none\\\",\\\"RiskState\\\":\\\"none\\\",\\\"ResourceDisplayName\\\":\\\"Windows Azure Active Directory\\\",\\\"ResourceIdentity\\\":\\\"00000002-0000-0000-c000-000000000000\\\",\\\"ServicePrincipalId\\\":\\\"\\\",\\\"ServicePrincipalName\\\":\\\"\\\",\\\"Status\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"TokenIssuerName\\\":\\\"\\\",\\\"TokenIssuerType\\\":\\\"AzureAD\\\",\\\"UserAgent\\\":\\\"\\\",\\\"UserDisplayName\\\":\\\"On-Premises Directory Synchronization Service Account\\\",\\\"UserId\\\":\\\"a82ec49c-dbb3-4398-baec-b45e9cd487a8\\\",\\\"UserPrincipalName\\\":\\\"sync_contosodc_a8016d9ed6f4@buildseccxpninja.onmicrosoft.com\\\",\\\"AADTenantId\\\":\\\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\\\",\\\"Type\\\":\\\"SigninLogs\\\",\\\"__entityMapping\\\":{\\\"sync_contosodc_a8016d9ed6f4@buildseccxpninja.onmicrosoft.com\\\":\\\"Account\\\"}}\",\r\n \"queryStartTime\": \"2020-11-18T00:01:06.048+00:00\",\r\n \"queryEndTime\": \"2020-11-19T00:01:06.048+00:00\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/a9686dc8-295e-4f38-b814-46a1fc3fae20\",\r\n \"name\": \"a9686dc8-295e-4f38-b814-46a1fc3fae20\",\r\n \"etag\": \"\\\"4000b114-0000-0100-0000-5fbc17d70000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-23T20:13:11.6679003+00:00\",\r\n \"updated\": \"2020-11-23T20:13:11.6679003+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-23T20:13:11.6679003+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/f30ed335-9611-4ce7-9580-6477621d6146\",\r\n \"name\": \"f30ed335-9611-4ce7-9580-6477621d6146\",\r\n \"etag\": \"\\\"4000201f-0000-0100-0000-5fbc18ce0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-23T20:17:18.5956906+00:00\",\r\n \"updated\": \"2020-11-23T20:17:18.5956906+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-23T20:17:18.5956906+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/76e19170-5585-46de-8b05-94b168011fde\",\r\n \"name\": \"76e19170-5585-46de-8b05-94b168011fde\",\r\n \"etag\": \"\\\"4000cd22-0000-0100-0000-5fbc19510000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-23T20:19:28.9516191+00:00\",\r\n \"updated\": \"2020-11-23T20:19:28.9516191+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-11-23T20:19:28.9516191+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/d3bb9fea-601e-4d22-8e17-261a9c2e0c70\",\r\n \"name\": \"d3bb9fea-601e-4d22-8e17-261a9c2e0c70\",\r\n \"etag\": \"\\\"4000c128-0000-0100-0000-5fbc19bc0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-23T20:21:16.0553845+00:00\",\r\n \"updated\": \"2020-11-23T20:21:16.0553845+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-23T20:21:16.0553845+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/c3384ba3-5239-4efb-aac7-059a68cf4468\",\r\n \"name\": \"c3384ba3-5239-4efb-aac7-059a68cf4468\",\r\n \"etag\": \"\\\"7900f15d-0000-0100-0000-5fc432dc0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-23T20:23:07.460191+00:00\",\r\n \"updated\": \"2020-11-29T23:46:36.7976088+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-11-23T20:23:07.460191+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/133104c7-b9a1-43a1-ab23-9f9f6852e5f0\",\r\n \"name\": \"133104c7-b9a1-43a1-ab23-9f9f6852e5f0\",\r\n \"etag\": \"\\\"4000a92e-0000-0100-0000-5fbc1a740000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-23T20:24:19.2949869+00:00\",\r\n \"updated\": \"2020-11-23T20:24:20.6389456+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-11-23T20:24:20.6389456+00:00\",\r\n \"notes\": \"PoshModuleTest\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/cff8db73-5750-4336-bd85-f315b87c2a8b\",\r\n \"name\": \"cff8db73-5750-4336-bd85-f315b87c2a8b\",\r\n \"etag\": \"\\\"6e00b017-0000-0100-0000-5fc2b93e0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-28T20:55:26.9889304+00:00\",\r\n \"updated\": \"2020-11-28T20:55:26.9889304+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-28T20:55:26.9889304+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/44088825-793c-426c-88dc-12988abb89b7\",\r\n \"name\": \"44088825-793c-426c-88dc-12988abb89b7\",\r\n \"etag\": \"\\\"6e006618-0000-0100-0000-5fc2b95b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-28T20:55:55.9839747+00:00\",\r\n \"updated\": \"2020-11-28T20:55:55.9839747+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-28T20:55:55.9839747+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/cf37bcfe-52b2-4546-a5c6-cbf2ba5e1891\",\r\n \"name\": \"cf37bcfe-52b2-4546-a5c6-cbf2ba5e1891\",\r\n \"etag\": \"\\\"6e001519-0000-0100-0000-5fc2b9730000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-28T20:56:19.5925757+00:00\",\r\n \"updated\": \"2020-11-28T20:56:19.5925757+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-28T20:56:19.5925757+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/4d48845a-3be9-47bb-83e5-29b7d0693552\",\r\n \"name\": \"4d48845a-3be9-47bb-83e5-29b7d0693552\",\r\n \"etag\": \"\\\"6e00ab21-0000-0100-0000-5fc2ba6a0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-28T21:00:26.7187476+00:00\",\r\n \"updated\": \"2020-11-28T21:00:26.7187476+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-28T21:00:26.7187476+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/1bdf91bd-f0ad-4e32-8d2e-9468624424e3\",\r\n \"name\": \"1bdf91bd-f0ad-4e32-8d2e-9468624424e3\",\r\n \"etag\": \"\\\"6e006222-0000-0100-0000-5fc2ba7f0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-28T21:00:47.6388329+00:00\",\r\n \"updated\": \"2020-11-28T21:00:47.6388329+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-11-28T21:00:47.6388329+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/c474ed12-3c06-4360-ac9a-709b106bb8c2\",\r\n \"name\": \"c474ed12-3c06-4360-ac9a-709b106bb8c2\",\r\n \"etag\": \"\\\"7900cd64-0000-0100-0000-5fc433a90000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-28T21:04:53.8526734+00:00\",\r\n \"updated\": \"2020-11-29T23:42:05.3933077+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-11-28T21:05:53.4671603+00:00\",\r\n \"notes\": \"testnotes\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": \"24a9d0ef-a43c-43a6-a96e-fb0a5bf2ac86\",\r\n \"title\": \"PoshModuleTest\",\r\n \"relationName\": \"76d05727-32c2-4da3-ad4d-07cd2c02a441\",\r\n \"severity\": \"Low\"\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/3ad87ae4-4e0e-46f1-9f2e-662466b4ff1b\",\r\n \"name\": \"3ad87ae4-4e0e-46f1-9f2e-662466b4ff1b\",\r\n \"etag\": \"\\\"7900e74c-0000-0100-0000-5fc430b10000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-11-28T21:06:29.8257871+00:00\",\r\n \"updated\": \"2020-11-28T21:06:31.660384+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-11-28T21:06:31.660384+00:00\",\r\n \"notes\": \"testnotes\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": \"9ad4e331-42c9-4629-a77d-6067d823c537\",\r\n \"title\": \"PoshModuleTest\",\r\n \"relationName\": \"e4f5a064-8cfe-4f76-9076-413c068bfc1f\",\r\n \"severity\": \"Medium\"\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/21e60cdb-6f45-4974-8e1a-31c4742c5fbb\",\r\n \"name\": \"21e60cdb-6f45-4974-8e1a-31c4742c5fbb\",\r\n \"etag\": \"\\\"0000e0ac-0000-0100-0000-5fca66fb0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"testposh\",\r\n \"created\": \"2020-12-04T16:42:35.8794779+00:00\",\r\n \"updated\": \"2020-12-04T16:42:35.8794779+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\r\n \"email\": \"ndicola@buildseccxpninja.onmicrosoft.com\",\r\n \"name\": \"Nicholas DiCola\"\r\n },\r\n \"eventTime\": \"2020-12-04T16:42:35.8794779+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityEvent | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/76d5683f-3354-418e-8e9e-2c8d2ef8249f\",\r\n \"name\": \"76d5683f-3354-418e-8e9e-2c8d2ef8249f\",\r\n \"etag\": \"\\\"0d00b521-0000-0100-0000-5fceef090000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:12:09.7101737+00:00\",\r\n \"updated\": \"2020-12-08T03:12:09.7101737+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:12:09.7101737+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/8b7c4b29-ed79-4aa5-958f-030711910940\",\r\n \"name\": \"8b7c4b29-ed79-4aa5-958f-030711910940\",\r\n \"etag\": \"\\\"0d00b821-0000-0100-0000-5fceef0c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:12:12.0334714+00:00\",\r\n \"updated\": \"2020-12-08T03:12:12.0334714+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:12:12.0334714+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/e66b9b59-e412-4e13-b357-f59143808bb6\",\r\n \"name\": \"e66b9b59-e412-4e13-b357-f59143808bb6\",\r\n \"etag\": \"\\\"0d000423-0000-0100-0000-5fceef660000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:13:42.321484+00:00\",\r\n \"updated\": \"2020-12-08T03:13:42.321484+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:13:42.321484+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/c2540532-d3dd-4c7a-8e44-b4ec08d9f60a\",\r\n \"name\": \"c2540532-d3dd-4c7a-8e44-b4ec08d9f60a\",\r\n \"etag\": \"\\\"0d001023-0000-0100-0000-5fceef680000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:13:44.5562983+00:00\",\r\n \"updated\": \"2020-12-08T03:13:44.5562983+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:13:44.5562983+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/51a81255-6f72-4b16-8112-9c3ba75d5a6c\",\r\n \"name\": \"51a81255-6f72-4b16-8112-9c3ba75d5a6c\",\r\n \"etag\": \"\\\"0d00b44b-0000-0100-0000-5fcef7170000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:46:31.5438983+00:00\",\r\n \"updated\": \"2020-12-08T03:46:31.5438983+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:46:31.5438983+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/4db01edb-f069-47a0-b11e-23f14100dc6c\",\r\n \"name\": \"4db01edb-f069-47a0-b11e-23f14100dc6c\",\r\n \"etag\": \"\\\"0d007b4e-0000-0100-0000-5fcef7b30000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:49:07.3026686+00:00\",\r\n \"updated\": \"2020-12-08T03:49:07.3026686+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:49:07.3026686+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/159318ca-f504-4a8e-972b-8dac2f679870\",\r\n \"name\": \"159318ca-f504-4a8e-972b-8dac2f679870\",\r\n \"etag\": \"\\\"0d00ef4e-0000-0100-0000-5fcef7e80000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:50:00.8850512+00:00\",\r\n \"updated\": \"2020-12-08T03:50:00.8850512+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:50:00.8850512+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/196d69f7-472f-42ab-a3a1-7743202ea539\",\r\n \"name\": \"196d69f7-472f-42ab-a3a1-7743202ea539\",\r\n \"etag\": \"\\\"0d003d4f-0000-0100-0000-5fcef8280000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:51:04.5000651+00:00\",\r\n \"updated\": \"2020-12-08T03:51:04.5000651+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:51:04.5000651+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/a38f7395-e3b4-4b64-bf09-ec0848ece893\",\r\n \"name\": \"a38f7395-e3b4-4b64-bf09-ec0848ece893\",\r\n \"etag\": \"\\\"0d008f4f-0000-0100-0000-5fcef8410000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:51:29.8640501+00:00\",\r\n \"updated\": \"2020-12-08T03:51:29.8640501+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:51:29.8640501+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/628846a5-6218-4185-84a7-2e9e1784bd71\",\r\n \"name\": \"628846a5-6218-4185-84a7-2e9e1784bd71\",\r\n \"etag\": \"\\\"0d003e50-0000-0100-0000-5fcef8740000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:52:20.4519573+00:00\",\r\n \"updated\": \"2020-12-08T03:52:20.4519573+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:52:20.4519573+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/41fc8778-9b2b-424c-aa91-84ceaeccceb3\",\r\n \"name\": \"41fc8778-9b2b-424c-aa91-84ceaeccceb3\",\r\n \"etag\": \"\\\"0d00c350-0000-0100-0000-5fcef88f0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:52:47.3531488+00:00\",\r\n \"updated\": \"2020-12-08T03:52:47.3531488+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:52:47.3531488+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/9af382e0-e2cc-4515-bc69-ceebe67a6458\",\r\n \"name\": \"9af382e0-e2cc-4515-bc69-ceebe67a6458\",\r\n \"etag\": \"\\\"0d005951-0000-0100-0000-5fcef8b90000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:53:29.6581833+00:00\",\r\n \"updated\": \"2020-12-08T03:53:29.6581833+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:53:29.6581833+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/e6a68660-0015-4a20-8e46-5e57f890b528\",\r\n \"name\": \"e6a68660-0015-4a20-8e46-5e57f890b528\",\r\n \"etag\": \"\\\"0d00fa51-0000-0100-0000-5fcef8de0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:54:06.0961248+00:00\",\r\n \"updated\": \"2020-12-08T03:54:06.0961248+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:54:06.0961248+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/c65fd41e-a5ae-490d-a436-10ac4d891a47\",\r\n \"name\": \"c65fd41e-a5ae-490d-a436-10ac4d891a47\",\r\n \"etag\": \"\\\"0d009556-0000-0100-0000-5fcef9be0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T03:57:50.7132333+00:00\",\r\n \"updated\": \"2020-12-08T03:57:50.7132333+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T03:57:50.7132333+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/1b6e404c-45b2-4625-bc6b-760f30b807be\",\r\n \"name\": \"1b6e404c-45b2-4625-bc6b-760f30b807be\",\r\n \"etag\": \"\\\"0d003960-0000-0100-0000-5fcefc980000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T04:10:00.8121752+00:00\",\r\n \"updated\": \"2020-12-08T04:10:00.8121752+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T04:10:00.8121752+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/7f9c53fa-ae8d-4b64-9363-cca827829664\",\r\n \"name\": \"7f9c53fa-ae8d-4b64-9363-cca827829664\",\r\n \"etag\": \"\\\"0d000761-0000-0100-0000-5fcefcb80000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T04:10:32.2608425+00:00\",\r\n \"updated\": \"2020-12-08T04:10:32.2608425+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T04:10:32.2608425+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/f8c96971-3a56-4be3-b08f-4c1d0534e824\",\r\n \"name\": \"f8c96971-3a56-4be3-b08f-4c1d0534e824\",\r\n \"etag\": \"\\\"0d007763-0000-0100-0000-5fcefd1f0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-08T04:12:15.2755981+00:00\",\r\n \"updated\": \"2020-12-08T04:12:15.2755981+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-08T04:12:15.2755981+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/a85e3b3b-c95e-4f8d-b5d6-0e9bcbd2e664\",\r\n \"name\": \"a85e3b3b-c95e-4f8d-b5d6-0e9bcbd2e664\",\r\n \"etag\": \"\\\"2400add7-0000-0100-0000-5fd28f750000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:13:25.1499316+00:00\",\r\n \"updated\": \"2020-12-10T21:13:25.1499316+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:13:25.1499316+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/91c29052-8ec9-4395-ad6c-e5c6cf562eec\",\r\n \"name\": \"91c29052-8ec9-4395-ad6c-e5c6cf562eec\",\r\n \"etag\": \"\\\"2400b4d7-0000-0100-0000-5fd28f760000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"created\": \"2020-12-10T21:13:26.054093+00:00\",\r\n \"updated\": \"2020-12-10T21:13:26.054093+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:13:26.054093+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n }\r\n ]\r\n}",
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/a85e3b3b-c95e-4f8d-b5d6-0e9bcbd2e664\",\r\n \"name\": \"a85e3b3b-c95e-4f8d-b5d6-0e9bcbd2e664\",\r\n \"etag\": \"\\\"2301f3cd-0000-0100-0000-60761add0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2021-04-13T22:27:41.4719683+00:00\",\r\n \"updated\": \"2021-04-13T22:27:41.4719683+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2021-04-13T22:27:41.4719683+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/91c29052-8ec9-4395-ad6c-e5c6cf562eec\",\r\n \"name\": \"91c29052-8ec9-4395-ad6c-e5c6cf562eec\",\r\n \"etag\": \"\\\"230104ce-0000-0100-0000-60761ade0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest2\",\r\n \"created\": \"2021-04-13T22:27:42.4246514+00:00\",\r\n \"updated\": \"2021-04-13T22:27:42.4246514+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2021-04-13T22:27:42.4246514+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n }\r\n ]\r\n}",
"StatusCode": 200
},
{
@@ -217,16 +208,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "e536877c-b530-4b8a-a2b2-76fb6d986b1e"
+ "834f1fb6-7305-4117-9f53-a9f97b29b2f7"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -236,23 +227,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "73644497-9e9f-4cd1-a9d3-a108c631c312"
+ "3ea684e7-f1a1-401f-ad9c-cdf3d7dbf31a"
],
"x-ms-correlation-request-id": [
- "73644497-9e9f-4cd1-a9d3-a108c631c312"
+ "3ea684e7-f1a1-401f-ad9c-cdf3d7dbf31a"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211327Z:73644497-9e9f-4cd1-a9d3-a108c631c312"
+ "WESTUS2:20210413T222744Z:3ea684e7-f1a1-401f-ad9c-cdf3d7dbf31a"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -261,7 +249,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:27 GMT"
+ "Tue, 13 Apr 2021 22:27:43 GMT"
],
"Content-Length": [
"2"
@@ -283,16 +271,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "c141935a-e2c0-433c-9e2c-8293bd6929b0"
+ "91090185-334f-4f75-afd0-6ce8b7ea3218"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -302,23 +290,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14998"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14998"
+ ],
"x-ms-request-id": [
- "3678343d-3c6b-4f85-a296-0602df52f691"
+ "460e442b-07d1-4e04-8406-9c3b349cca5c"
],
"x-ms-correlation-request-id": [
- "3678343d-3c6b-4f85-a296-0602df52f691"
+ "460e442b-07d1-4e04-8406-9c3b349cca5c"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211328Z:3678343d-3c6b-4f85-a296-0602df52f691"
+ "WESTUS2:20210413T222745Z:460e442b-07d1-4e04-8406-9c3b349cca5c"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -327,7 +312,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:28 GMT"
+ "Tue, 13 Apr 2021 22:27:44 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Remove.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Remove.json
index 321d999c89d0..49bf30dbfd7e 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Remove.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Remove.json
@@ -4,19 +4,19 @@
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/a18251f2-1a0f-45f2-bb0d-ad4121911fce?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvYTE4MjUxZjItMWEwZi00NWYyLWJiMGQtYWQ0MTIxOTExZmNlP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2020-12-10T21:13:21.8456035Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2021-04-13T22:27:37.3565679Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "a5beac69-7073-4d68-b573-c522d4f222ff"
+ "e31f8441-78cf-4a01-b54c-6053ccf9ead5"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "d601e04a-7269-446f-a1f5-3f28dd137c8f"
+ "43ef0628-f29b-490e-9c89-4bca04e3788b"
],
"x-ms-correlation-request-id": [
- "d601e04a-7269-446f-a1f5-3f28dd137c8f"
+ "43ef0628-f29b-490e-9c89-4bca04e3788b"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211322Z:d601e04a-7269-446f-a1f5-3f28dd137c8f"
+ "WESTUS2:20210413T222738Z:43ef0628-f29b-490e-9c89-4bca04e3788b"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:22 GMT"
+ "Tue, 13 Apr 2021 22:27:38 GMT"
],
"Content-Length": [
"935"
@@ -69,7 +66,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/a18251f2-1a0f-45f2-bb0d-ad4121911fce\",\r\n \"name\": \"a18251f2-1a0f-45f2-bb0d-ad4121911fce\",\r\n \"etag\": \"\\\"240095d7-0000-0100-0000-5fd28f720000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:13:22.0659618+00:00\",\r\n \"updated\": \"2020-12-10T21:13:22+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:13:22.0659618+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/a18251f2-1a0f-45f2-bb0d-ad4121911fce\",\r\n \"name\": \"a18251f2-1a0f-45f2-bb0d-ad4121911fce\",\r\n \"etag\": \"\\\"2301a9cd-0000-0100-0000-60761ada0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2021-04-13T22:27:38.0752017+00:00\",\r\n \"updated\": \"2021-04-13T22:27:38+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2021-04-13T22:27:38.0752017+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -79,16 +76,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "17be64e7-80d5-48a1-997c-5672678eee56"
+ "80a2ba27-3468-47c1-ae0e-391c7d81fb70"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -98,23 +95,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "9644cf5f-8dbf-4564-9f6e-1ddf55c3cf9b"
+ "92c07094-7ecf-47b5-9be4-9690a48a81cf"
],
"x-ms-correlation-request-id": [
- "9644cf5f-8dbf-4564-9f6e-1ddf55c3cf9b"
+ "92c07094-7ecf-47b5-9be4-9690a48a81cf"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211323Z:9644cf5f-8dbf-4564-9f6e-1ddf55c3cf9b"
+ "WESTUS2:20210413T222740Z:92c07094-7ecf-47b5-9be4-9690a48a81cf"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -123,7 +117,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:23 GMT"
+ "Tue, 13 Apr 2021 22:27:39 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Update.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Update.json
index ef0e1432198b..03d604b1cfd3 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Update.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.BookmarksTests/Update.json
@@ -4,25 +4,25 @@
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/e1606ca5-cd05-42ba-ac77-cdf0da4b719f?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvZTE2MDZjYTUtY2QwNS00MmJhLWFjNzctY2RmMGRhNGI3MTlmP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2020-12-10T21:39:02.754166Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"created\": \"2021-04-13T22:27:46.2768239Z\",\r\n \"displayName\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "ab65b944-4954-4387-bbe0-8b2e751ba8d7"
+ "88994344-fb75-4ee1-acf9-9ec435a1bfdb"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
],
"Content-Length": [
- "152"
+ "153"
]
},
"ResponseHeaders": {
@@ -32,23 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "57fa9c0b-4619-4ff6-9cb9-e30b081f91e9"
+ "f69da16a-979e-4204-b42b-84f5973373c5"
],
"x-ms-correlation-request-id": [
- "57fa9c0b-4619-4ff6-9cb9-e30b081f91e9"
+ "f69da16a-979e-4204-b42b-84f5973373c5"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213904Z:57fa9c0b-4619-4ff6-9cb9-e30b081f91e9"
+ "WESTUS2:20210413T222747Z:f69da16a-979e-4204-b42b-84f5973373c5"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -57,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:39:03 GMT"
+ "Tue, 13 Apr 2021 22:27:47 GMT"
],
"Content-Length": [
"935"
@@ -69,26 +66,26 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"name\": \"e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"etag\": \"\\\"2400eaec-0000-0100-0000-5fd295770000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:39:03.3622705+00:00\",\r\n \"updated\": \"2020-12-10T21:39:03+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:39:03.3622705+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"name\": \"e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"etag\": \"\\\"23014ece-0000-0100-0000-60761ae20000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2021-04-13T22:27:46.6826763+00:00\",\r\n \"updated\": \"2021-04-13T22:27:46+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2021-04-13T22:27:46.6826763+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/bookmarks/e1606ca5-cd05-42ba-ac77-cdf0da4b719f?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9ib29rbWFya3MvZTE2MDZjYTUtY2QwNS00MmJhLWFjNzctY2RmMGRhNGI3MTlmP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"labels\": [],\r\n \"notes\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n },\r\n \"etag\": \"\\\"2400eaec-0000-0100-0000-5fd295770000\\\"\"\r\n}",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"labels\": [],\r\n \"notes\": \"PoshModuleTest\",\r\n \"query\": \"SecurityAlert | take 1\"\r\n },\r\n \"etag\": \"\\\"23014ece-0000-0100-0000-60761ae20000\\\"\"\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "94a33125-6f46-488d-8f42-f30ad17435d1"
+ "0c3f9154-132e-4889-97a4-dda54d0de9a4"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -104,23 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1197"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "42b26e96-f302-428a-a03a-d60bf7f290a8"
+ "d59e7a00-d4ab-4426-8839-fb499c750c86"
],
"x-ms-correlation-request-id": [
- "42b26e96-f302-428a-a03a-d60bf7f290a8"
+ "d59e7a00-d4ab-4426-8839-fb499c750c86"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213905Z:42b26e96-f302-428a-a03a-d60bf7f290a8"
+ "WESTUS2:20210413T222748Z:d59e7a00-d4ab-4426-8839-fb499c750c86"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -129,7 +123,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:39:05 GMT"
+ "Tue, 13 Apr 2021 22:27:48 GMT"
],
"Content-Length": [
"960"
@@ -141,7 +135,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"name\": \"e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"etag\": \"\\\"2400ecec-0000-0100-0000-5fd295780000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:39:03.3622705+00:00\",\r\n \"updated\": \"2020-12-10T21:39:04+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:39:04.9605018+00:00\",\r\n \"notes\": \"PoshModuleTest\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"name\": \"e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"etag\": \"\\\"230165ce-0000-0100-0000-60761ae40000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2021-04-13T22:27:46.6826763+00:00\",\r\n \"updated\": \"2021-04-13T22:27:48+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2021-04-13T22:27:47.9927516+00:00\",\r\n \"notes\": \"PoshModuleTest\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -151,16 +145,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "f45c5f50-8f7d-4edd-acbc-074568e1c229"
+ "0c3f9154-132e-4889-97a4-dda54d0de9a4"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -170,23 +164,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11993"
+ ],
"x-ms-request-id": [
- "7830789d-46b1-4080-b381-39e0d2fa1994"
+ "239e7ce3-6721-4d7d-ab9f-2886cc18536b"
],
"x-ms-correlation-request-id": [
- "7830789d-46b1-4080-b381-39e0d2fa1994"
+ "239e7ce3-6721-4d7d-ab9f-2886cc18536b"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213904Z:7830789d-46b1-4080-b381-39e0d2fa1994"
+ "WESTUS2:20210413T222747Z:239e7ce3-6721-4d7d-ab9f-2886cc18536b"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -195,7 +186,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:39:03 GMT"
+ "Tue, 13 Apr 2021 22:27:47 GMT"
],
"Content-Length": [
"943"
@@ -207,7 +198,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"name\": \"e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"etag\": \"\\\"2400eaec-0000-0100-0000-5fd295770000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2020-12-10T21:39:03.3622705+00:00\",\r\n \"updated\": \"2020-12-10T21:39:03.3622705+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2020-12-10T21:39:03.3622705+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Bookmarks/e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"name\": \"e1606ca5-cd05-42ba-ac77-cdf0da4b719f\",\r\n \"etag\": \"\\\"23014ece-0000-0100-0000-60761ae20000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Bookmarks\",\r\n \"properties\": {\r\n \"displayName\": \"PoshModuleTest\",\r\n \"created\": \"2021-04-13T22:27:46.6826763+00:00\",\r\n \"updated\": \"2021-04-13T22:27:46.6826763+00:00\",\r\n \"createdBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"updatedBy\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"name\": \"Bookmark created from external application - azsposh\"\r\n },\r\n \"eventTime\": \"2021-04-13T22:27:46.6826763+00:00\",\r\n \"labels\": [],\r\n \"query\": \"SecurityAlert | take 1\",\r\n \"incidentInfo\": {\r\n \"incidentId\": null,\r\n \"title\": null,\r\n \"relationName\": null,\r\n \"severity\": null\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -217,16 +208,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "40dc0657-6f44-4eac-93be-01501a7174a7"
+ "d94f5862-e895-4452-8244-91ddb6e1b0d4"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -236,23 +227,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
- "api-supported-versions": [
- "2019-01-01"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "5f2f5b93-b644-4912-9665-6f5b89207fab"
+ "6fd098e4-c4f6-4399-889b-ef309081593d"
],
"x-ms-correlation-request-id": [
- "5f2f5b93-b644-4912-9665-6f5b89207fab"
+ "6fd098e4-c4f6-4399-889b-ef309081593d"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T213906Z:5f2f5b93-b644-4912-9665-6f5b89207fab"
+ "WESTUS2:20210413T222749Z:6fd098e4-c4f6-4399-889b-ef309081593d"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -261,7 +249,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:39:06 GMT"
+ "Tue, 13 Apr 2021 22:27:49 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Create.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Create.json
index dd868b23243b..58398169b42a 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Create.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Create.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "b8bb998b-f78e-4898-b35e-6bcd8d15c2c4"
+ "11550a5d-5961-4740-9797-059a90e1d80c"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,20 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "141bfb56-e19c-4709-9fbe-1d10e8cabdbd"
+ "db82bc4a-0d4e-4d16-8c44-bfbe246143e7"
],
"x-ms-correlation-request-id": [
- "141bfb56-e19c-4709-9fbe-1d10e8cabdbd"
+ "db82bc4a-0d4e-4d16-8c44-bfbe246143e7"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211242Z:141bfb56-e19c-4709-9fbe-1d10e8cabdbd"
+ "WESTUS2:20210413T222625Z:db82bc4a-0d4e-4d16-8c44-bfbe246143e7"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -54,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:42 GMT"
+ "Tue, 13 Apr 2021 22:26:25 GMT"
],
"Content-Length": [
"525"
@@ -66,7 +66,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/cd2f31a6-98db-4834-8696-36a184436387\",\r\n \"name\": \"cd2f31a6-98db-4834-8696-36a184436387\",\r\n \"etag\": \"84bdd504-71fa-4a44-9934-bfb79210d0bb\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/cd2f31a6-98db-4834-8696-36a184436387\",\r\n \"name\": \"cd2f31a6-98db-4834-8696-36a184436387\",\r\n \"etag\": \"1e442fff-1bed-4f53-9214-9ea83499ddf2\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -76,16 +76,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "f74210b6-2d5a-43a3-9115-faeb2c33c98b"
+ "b988e088-3ab5-48c1-af55-2562a35cae13"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -95,20 +95,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "9e7fd461-3ef6-4a43-9df4-82dfa6aaa246"
+ "5d19fac8-a853-47da-b24b-af617a9eb2a1"
],
"x-ms-correlation-request-id": [
- "9e7fd461-3ef6-4a43-9df4-82dfa6aaa246"
+ "5d19fac8-a853-47da-b24b-af617a9eb2a1"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211242Z:9e7fd461-3ef6-4a43-9df4-82dfa6aaa246"
+ "WESTUS2:20210413T222626Z:5d19fac8-a853-47da-b24b-af617a9eb2a1"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -117,7 +117,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:42 GMT"
+ "Tue, 13 Apr 2021 22:26:25 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Delete.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Delete.json
index 51cabb712a3c..62dbd0227ae0 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Delete.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Delete.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "1ba4fa82-516d-4789-bcd3-3536cc5fbf08"
+ "5420aab5-b899-46e9-950a-44562827e3f0"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,20 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "49d5244a-adeb-4197-9de8-845ca0c19fcc"
+ "330824a2-a332-4f49-a036-bb6b371ded3f"
],
"x-ms-correlation-request-id": [
- "49d5244a-adeb-4197-9de8-845ca0c19fcc"
+ "330824a2-a332-4f49-a036-bb6b371ded3f"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211302Z:49d5244a-adeb-4197-9de8-845ca0c19fcc"
+ "WESTUS2:20210413T222646Z:330824a2-a332-4f49-a036-bb6b371ded3f"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -54,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:02 GMT"
+ "Tue, 13 Apr 2021 22:26:46 GMT"
],
"Content-Length": [
"525"
@@ -66,7 +66,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f2bc6c20-6785-4b98-8dd3-26767b7de5b4\",\r\n \"name\": \"f2bc6c20-6785-4b98-8dd3-26767b7de5b4\",\r\n \"etag\": \"771bd1c0-1de6-40ee-bae4-f7674d78efa6\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f2bc6c20-6785-4b98-8dd3-26767b7de5b4\",\r\n \"name\": \"f2bc6c20-6785-4b98-8dd3-26767b7de5b4\",\r\n \"etag\": \"6272cff2-0902-47f8-ba40-494e6e494859\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -76,16 +76,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "41bee657-3a07-441b-82eb-e5568cbd405f"
+ "e206f767-911d-452b-8135-5650b86de7ff"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -95,20 +95,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "1519748c-70c1-4ef0-b412-efc5ed6d502e"
+ "4fae78a8-a7c2-48f2-b9db-240fd6cfba42"
],
"x-ms-correlation-request-id": [
- "1519748c-70c1-4ef0-b412-efc5ed6d502e"
+ "4fae78a8-a7c2-48f2-b9db-240fd6cfba42"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211303Z:1519748c-70c1-4ef0-b412-efc5ed6d502e"
+ "WESTUS2:20210413T222646Z:4fae78a8-a7c2-48f2-b9db-240fd6cfba42"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -117,7 +117,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:02 GMT"
+ "Tue, 13 Apr 2021 22:26:46 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Get.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Get.json
index e2f6fe83aa85..a3ded25a2697 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Get.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Get.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "6c8274a5-d08f-402c-aee8-589c464d2960"
+ "dbcb4dff-cb19-4d27-9103-86ceb3dd69cf"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,20 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "833f3110-7ece-4311-ad45-01bb40b58567"
+ "e6ac14d0-f959-4eb9-ba78-ed2de88730a6"
],
"x-ms-correlation-request-id": [
- "833f3110-7ece-4311-ad45-01bb40b58567"
+ "e6ac14d0-f959-4eb9-ba78-ed2de88730a6"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211236Z:833f3110-7ece-4311-ad45-01bb40b58567"
+ "WESTUS2:20210413T222618Z:e6ac14d0-f959-4eb9-ba78-ed2de88730a6"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -54,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:35 GMT"
+ "Tue, 13 Apr 2021 22:26:18 GMT"
],
"Content-Length": [
"525"
@@ -66,7 +66,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/3da7055e-fcd4-4715-b2ab-72170ee57612\",\r\n \"name\": \"3da7055e-fcd4-4715-b2ab-72170ee57612\",\r\n \"etag\": \"c34dd8f1-681e-45c7-93f6-45a268c84773\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/3da7055e-fcd4-4715-b2ab-72170ee57612\",\r\n \"name\": \"3da7055e-fcd4-4715-b2ab-72170ee57612\",\r\n \"etag\": \"eae36a4e-d885-4984-9135-669395cb488f\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -76,16 +76,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "1cef53ec-5203-41b3-8f33-0d480492d8e3"
+ "c0e8a83b-7d73-40e6-b4d9-6a6e47d13fdb"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -95,20 +95,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11998"
+ ],
"x-ms-request-id": [
- "547806d6-18a7-49a8-8a68-71c1fe49f591"
+ "8772fca1-8c98-474a-bf4e-df37c06ccd3a"
],
"x-ms-correlation-request-id": [
- "547806d6-18a7-49a8-8a68-71c1fe49f591"
+ "8772fca1-8c98-474a-bf4e-df37c06ccd3a"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211236Z:547806d6-18a7-49a8-8a68-71c1fe49f591"
+ "WESTUS2:20210413T222619Z:8772fca1-8c98-474a-bf4e-df37c06ccd3a"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -117,7 +117,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:35 GMT"
+ "Tue, 13 Apr 2021 22:26:18 GMT"
],
"Content-Length": [
"525"
@@ -129,7 +129,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/3da7055e-fcd4-4715-b2ab-72170ee57612\",\r\n \"name\": \"3da7055e-fcd4-4715-b2ab-72170ee57612\",\r\n \"etag\": \"c34dd8f1-681e-45c7-93f6-45a268c84773\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/3da7055e-fcd4-4715-b2ab-72170ee57612\",\r\n \"name\": \"3da7055e-fcd4-4715-b2ab-72170ee57612\",\r\n \"etag\": \"eae36a4e-d885-4984-9135-669395cb488f\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -139,16 +139,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "5e4b0b7e-a988-4983-a324-70b232dbe888"
+ "f3cbac10-e741-4009-b5ef-984dc5f860ae"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -158,20 +158,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "60ea52d4-d73a-4b9c-abf2-845cfdabd69b"
+ "04b06464-fbfe-425e-93fd-3f7358d2c864"
],
"x-ms-correlation-request-id": [
- "60ea52d4-d73a-4b9c-abf2-845cfdabd69b"
+ "04b06464-fbfe-425e-93fd-3f7358d2c864"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211236Z:60ea52d4-d73a-4b9c-abf2-845cfdabd69b"
+ "WESTUS2:20210413T222619Z:04b06464-fbfe-425e-93fd-3f7358d2c864"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -180,7 +180,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:35 GMT"
+ "Tue, 13 Apr 2021 22:26:19 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/InputObject.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/InputObject.json
index 48ef1c0936e4..8c401f86c295 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/InputObject.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/InputObject.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "6784fd32-d26d-47b2-adbd-094f684b9b68"
+ "225af12b-eb68-4ee0-b6a9-c70625f7f266"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,20 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "d20124f9-29a1-4899-b43c-a34dc6382c6a"
+ "3631aa39-469e-4bc5-afc8-fbf78329767d"
],
"x-ms-correlation-request-id": [
- "d20124f9-29a1-4899-b43c-a34dc6382c6a"
+ "3631aa39-469e-4bc5-afc8-fbf78329767d"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211305Z:d20124f9-29a1-4899-b43c-a34dc6382c6a"
+ "WESTUS2:20210413T222649Z:3631aa39-469e-4bc5-afc8-fbf78329767d"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -54,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:04 GMT"
+ "Tue, 13 Apr 2021 22:26:48 GMT"
],
"Content-Length": [
"525"
@@ -66,26 +66,26 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"name\": \"44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"etag\": \"3233739a-d2d8-40fd-ab13-5ff6524ab613\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"name\": \"44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"etag\": \"4875ceb0-d4dc-4f87-bcc2-8e766c2f55e0\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/44c3bfc6-5361-41af-a50d-65232c3f9b13?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy80NGMzYmZjNi01MzYxLTQxYWYtYTUwZC02NTIzMmMzZjliMTM/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"Disabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n },\r\n \"etag\": \"3233739a-d2d8-40fd-ab13-5ff6524ab613\"\r\n}",
+ "RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"Disabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n },\r\n \"etag\": \"4875ceb0-d4dc-4f87-bcc2-8e766c2f55e0\"\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "f6fa52d4-2eb7-473c-80c0-93abdc2585a8"
+ "16bb49fd-bb2c-457b-bb00-a49fd26a73a4"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -101,20 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "cd442551-71fe-42a1-9393-f507f1b82bc6"
+ "1afbb936-a896-4b88-93ef-9eb562340d10"
],
"x-ms-correlation-request-id": [
- "cd442551-71fe-42a1-9393-f507f1b82bc6"
+ "1afbb936-a896-4b88-93ef-9eb562340d10"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211306Z:cd442551-71fe-42a1-9393-f507f1b82bc6"
+ "WESTUS2:20210413T222650Z:1afbb936-a896-4b88-93ef-9eb562340d10"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -123,7 +123,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:05 GMT"
+ "Tue, 13 Apr 2021 22:26:49 GMT"
],
"Content-Length": [
"492"
@@ -135,7 +135,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"name\": \"44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"etag\": \"3233739a-d2d8-40fd-ab13-5ff6524ab613\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": null,\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"disabled\"\r\n }\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"name\": \"44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"etag\": \"4875ceb0-d4dc-4f87-bcc2-8e766c2f55e0\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": null,\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"disabled\"\r\n }\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -145,16 +145,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "9c7fc857-3e92-461c-b3e2-2b4949ca623a"
+ "16bb49fd-bb2c-457b-bb00-a49fd26a73a4"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -164,20 +164,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
"x-ms-request-id": [
- "867aecbe-ba63-4200-823d-b431225ee6b8"
+ "9ecbb3f0-4203-455e-87d0-24b223a8edac"
],
"x-ms-correlation-request-id": [
- "867aecbe-ba63-4200-823d-b431225ee6b8"
+ "9ecbb3f0-4203-455e-87d0-24b223a8edac"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211305Z:867aecbe-ba63-4200-823d-b431225ee6b8"
+ "WESTUS2:20210413T222649Z:9ecbb3f0-4203-455e-87d0-24b223a8edac"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -186,7 +186,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:05 GMT"
+ "Tue, 13 Apr 2021 22:26:48 GMT"
],
"Content-Length": [
"525"
@@ -198,7 +198,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"name\": \"44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"etag\": \"3233739a-d2d8-40fd-ab13-5ff6524ab613\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"name\": \"44c3bfc6-5361-41af-a50d-65232c3f9b13\",\r\n \"etag\": \"4875ceb0-d4dc-4f87-bcc2-8e766c2f55e0\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -208,16 +208,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "1747149c-fb0a-4123-80bc-db2fc5003505"
+ "89456bd3-979e-4d0a-9962-28283d9f9520"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -234,13 +234,13 @@
"14999"
],
"x-ms-request-id": [
- "346548b0-ec05-43f9-af14-10117de94f8c"
+ "835f20d1-6bfb-4784-83cd-c387db1ce578"
],
"x-ms-correlation-request-id": [
- "346548b0-ec05-43f9-af14-10117de94f8c"
+ "835f20d1-6bfb-4784-83cd-c387db1ce578"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211306Z:346548b0-ec05-43f9-af14-10117de94f8c"
+ "WESTUS2:20210413T222650Z:835f20d1-6bfb-4784-83cd-c387db1ce578"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -249,7 +249,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:05 GMT"
+ "Tue, 13 Apr 2021 22:26:49 GMT"
],
"Expires": [
"-1"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/List.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/List.json
index f4742ec44886..a24fbd4ada3d 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/List.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/List.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "5f0b3c13-7ec7-4576-9fc9-9a259d2d4fae"
+ "f9e20222-1f10-4a19-9f86-7562bef0309e"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,20 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "3549617d-7d32-4179-a2db-18b4281f79d7"
+ "dbdb21c5-4801-4404-9084-088849218d76"
],
"x-ms-correlation-request-id": [
- "3549617d-7d32-4179-a2db-18b4281f79d7"
+ "dbdb21c5-4801-4404-9084-088849218d76"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211245Z:3549617d-7d32-4179-a2db-18b4281f79d7"
+ "WESTUS2:20210413T222628Z:dbdb21c5-4801-4404-9084-088849218d76"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -54,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:45 GMT"
+ "Tue, 13 Apr 2021 22:26:27 GMT"
],
"Content-Length": [
"525"
@@ -66,7 +66,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/934ce201-63c5-4911-9e04-50b348020378\",\r\n \"name\": \"934ce201-63c5-4911-9e04-50b348020378\",\r\n \"etag\": \"fbe67e88-04f6-4d77-8db7-d24774c0b7d2\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/934ce201-63c5-4911-9e04-50b348020378\",\r\n \"name\": \"934ce201-63c5-4911-9e04-50b348020378\",\r\n \"etag\": \"3bc9ba95-bfd1-4b1a-8991-81cc0b2a01ff\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -76,16 +76,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "dca94e59-2c94-4bdd-a9a3-4db00e2ebb27"
+ "a65ca0a3-f616-43a9-8610-dd3ad07a0710"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -95,20 +95,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
"x-ms-request-id": [
- "5e4dd3c6-a460-4eea-9c8f-08186409b515"
+ "e3ab6a58-313e-4ce4-a421-46a54a7c64fb"
],
"x-ms-correlation-request-id": [
- "5e4dd3c6-a460-4eea-9c8f-08186409b515"
+ "e3ab6a58-313e-4ce4-a421-46a54a7c64fb"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211245Z:5e4dd3c6-a460-4eea-9c8f-08186409b515"
+ "WESTUS2:20210413T222628Z:e3ab6a58-313e-4ce4-a421-46a54a7c64fb"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -117,10 +117,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:45 GMT"
+ "Tue, 13 Apr 2021 22:26:27 GMT"
],
"Content-Length": [
- "1600"
+ "537"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -129,7 +129,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/52f62672-8098-46d4-bb56-534bc4b931ad\",\r\n \"name\": \"52f62672-8098-46d4-bb56-534bc4b931ad\",\r\n \"etag\": \"70ee4475-c32a-45c6-a940-afebd2d10be4\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureActiveDirectory\",\r\n \"properties\": {\r\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/74df4924-4c7b-465d-af37-017c72c08681\",\r\n \"name\": \"74df4924-4c7b-465d-af37-017c72c08681\",\r\n \"etag\": \"c50e1390-f6a2-4f68-842a-e8fd9fde0f07\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"MicrosoftDefenderAdvancedThreatProtection\",\r\n \"properties\": {\r\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/934ce201-63c5-4911-9e04-50b348020378\",\r\n \"name\": \"934ce201-63c5-4911-9e04-50b348020378\",\r\n \"etag\": \"fbe67e88-04f6-4d77-8db7-d24774c0b7d2\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n}",
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/934ce201-63c5-4911-9e04-50b348020378\",\r\n \"name\": \"934ce201-63c5-4911-9e04-50b348020378\",\r\n \"etag\": \"3bc9ba95-bfd1-4b1a-8991-81cc0b2a01ff\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n }\r\n ]\r\n}",
"StatusCode": 200
},
{
@@ -139,16 +139,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "02e04982-f259-4ec5-84ab-66af7453ffe2"
+ "7eb701a2-bd47-404f-9cf1-6c56edc3a38d"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -158,20 +158,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "764edf99-a36e-45b1-9ecd-330ba8e784ab"
+ "b1d257e1-d6dc-4c0d-955a-2bf5485dde6e"
],
"x-ms-correlation-request-id": [
- "764edf99-a36e-45b1-9ecd-330ba8e784ab"
+ "b1d257e1-d6dc-4c0d-955a-2bf5485dde6e"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211300Z:764edf99-a36e-45b1-9ecd-330ba8e784ab"
+ "WESTUS2:20210413T222644Z:b1d257e1-d6dc-4c0d-955a-2bf5485dde6e"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -180,7 +180,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:13:00 GMT"
+ "Tue, 13 Apr 2021 22:26:43 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Update.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Update.json
index 0bb42a6e4828..593ba79799c5 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Update.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.DataConnectorsTests/Update.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "c00e83cf-289d-41e4-9164-49373713fc99"
+ "5d210d39-45a1-4c83-a9eb-5bb63d662ebd"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,20 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "52aff9e4-76f2-4355-ab7b-ac002d298baa"
+ "3072f138-e4b4-4349-9515-7d64a20f75b7"
],
"x-ms-correlation-request-id": [
- "52aff9e4-76f2-4355-ab7b-ac002d298baa"
+ "3072f138-e4b4-4349-9515-7d64a20f75b7"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211238Z:52aff9e4-76f2-4355-ab7b-ac002d298baa"
+ "WESTUS2:20210413T222622Z:3072f138-e4b4-4349-9515-7d64a20f75b7"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -54,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:38 GMT"
+ "Tue, 13 Apr 2021 22:26:22 GMT"
],
"Content-Length": [
"525"
@@ -66,26 +66,26 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"name\": \"f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"etag\": \"049178d0-a381-4138-9560-58fc927435cc\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"name\": \"f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"etag\": \"d46e1020-3201-47eb-9a72-7b9053e89e28\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f3abb0bf-9f8b-4f03-8865-8e71e2889ba2?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9kYXRhQ29ubmVjdG9ycy9mM2FiYjBiZi05ZjhiLTRmMDMtODg2NS04ZTcxZTI4ODliYTI/YXBpLXZlcnNpb249MjAyMC0wMS0wMQ==",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"Disabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n },\r\n \"etag\": \"049178d0-a381-4138-9560-58fc927435cc\"\r\n}",
+ "RequestBody": "{\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"Disabled\"\r\n }\r\n },\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\r\n },\r\n \"etag\": \"d46e1020-3201-47eb-9a72-7b9053e89e28\"\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "55879b55-6c2c-4007-8bf4-cf16358d9f14"
+ "1e858b0b-1c78-4f90-a2e4-de9e77c6de41"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -101,20 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "73109ed3-dcc8-4ef4-bf10-947b8ad1ccdf"
+ "789cfbe0-82a4-48bb-8f81-632ef6f780ef"
],
"x-ms-correlation-request-id": [
- "73109ed3-dcc8-4ef4-bf10-947b8ad1ccdf"
+ "789cfbe0-82a4-48bb-8f81-632ef6f780ef"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211239Z:73109ed3-dcc8-4ef4-bf10-947b8ad1ccdf"
+ "WESTUS2:20210413T222623Z:789cfbe0-82a4-48bb-8f81-632ef6f780ef"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -123,7 +123,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:39 GMT"
+ "Tue, 13 Apr 2021 22:26:23 GMT"
],
"Content-Length": [
"492"
@@ -135,7 +135,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"name\": \"f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"etag\": \"049178d0-a381-4138-9560-58fc927435cc\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": null,\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"disabled\"\r\n }\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"name\": \"f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"etag\": \"d46e1020-3201-47eb-9a72-7b9053e89e28\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": null,\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"disabled\"\r\n }\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -145,16 +145,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "141c04b0-e63a-4fc3-9387-cf9ff0751c62"
+ "1e858b0b-1c78-4f90-a2e4-de9e77c6de41"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -164,20 +164,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
"x-ms-request-id": [
- "c236430a-06ff-47ef-94d6-a78ba2e4dcaf"
+ "a4ae45ae-9b86-48e3-97e8-516b6b28003b"
],
"x-ms-correlation-request-id": [
- "c236430a-06ff-47ef-94d6-a78ba2e4dcaf"
+ "a4ae45ae-9b86-48e3-97e8-516b6b28003b"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211239Z:c236430a-06ff-47ef-94d6-a78ba2e4dcaf"
+ "WESTUS2:20210413T222622Z:a4ae45ae-9b86-48e3-97e8-516b6b28003b"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -186,7 +186,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:38 GMT"
+ "Tue, 13 Apr 2021 22:26:22 GMT"
],
"Content-Length": [
"525"
@@ -198,7 +198,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"name\": \"f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"etag\": \"049178d0-a381-4138-9560-58fc927435cc\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/dataConnectors/f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"name\": \"f3abb0bf-9f8b-4f03-8865-8e71e2889ba2\",\r\n \"etag\": \"d46e1020-3201-47eb-9a72-7b9053e89e28\",\r\n \"type\": \"Microsoft.SecurityInsights/dataConnectors\",\r\n \"kind\": \"AzureSecurityCenter\",\r\n \"properties\": {\r\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\r\n \"dataTypes\": {\r\n \"alerts\": {\r\n \"state\": \"enabled\"\r\n }\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -208,16 +208,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "f0f45f9a-15f3-493a-bc7c-ba50e2ae6f3b"
+ "4cd0d5f1-2553-4862-8d5a-be2a972ff79d"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -234,13 +234,13 @@
"14999"
],
"x-ms-request-id": [
- "b9f0bbb8-514d-423a-b486-19a3c1d10da2"
+ "197dd0c8-acde-4161-9812-7e6161e95637"
],
"x-ms-correlation-request-id": [
- "b9f0bbb8-514d-423a-b486-19a3c1d10da2"
+ "197dd0c8-acde-4161-9812-7e6161e95637"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211240Z:b9f0bbb8-514d-423a-b486-19a3c1d10da2"
+ "WESTUS2:20210413T222623Z:197dd0c8-acde-4161-9812-7e6161e95637"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -249,7 +249,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:39 GMT"
+ "Tue, 13 Apr 2021 22:26:23 GMT"
],
"Expires": [
"-1"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/Create.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/Create.json
index da9294adf50f..9d8c4d70701a 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/Create.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/Create.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "73890494-454b-452f-909d-e82d932ef527"
+ "9c3444a6-0565-482d-9044-c6b01758a947"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,20 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1197"
+ ],
"x-ms-request-id": [
- "ce5bc405-ee05-4a86-bc81-ea808eb0abfa"
+ "8f9cf53b-5d40-42b1-8bc4-71e6bd41e87c"
],
"x-ms-correlation-request-id": [
- "ce5bc405-ee05-4a86-bc81-ea808eb0abfa"
+ "8f9cf53b-5d40-42b1-8bc4-71e6bd41e87c"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211207Z:ce5bc405-ee05-4a86-bc81-ea808eb0abfa"
+ "WESTUS2:20210413T222759Z:8f9cf53b-5d40-42b1-8bc4-71e6bd41e87c"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -54,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:07 GMT"
+ "Tue, 13 Apr 2021 22:27:58 GMT"
],
"Content-Length": [
"1115"
@@ -66,7 +66,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/055ddb69-f086-4765-89f2-dafe0b9c8e74\",\r\n \"name\": \"055ddb69-f086-4765-89f2-dafe0b9c8e74\",\r\n \"etag\": \"\\\"bd008fa3-0000-0100-0000-5fd28f270000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:07.8475167Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:07.8475167Z\",\r\n \"incidentNumber\": 96,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/055ddb69-f086-4765-89f2-dafe0b9c8e74\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/055ddb69-f086-4765-89f2-dafe0b9c8e74\",\r\n \"name\": \"055ddb69-f086-4765-89f2-dafe0b9c8e74\",\r\n \"etag\": \"\\\"e0008692-0000-0100-0000-60761aef0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2021-04-13T22:27:59.0411717Z\",\r\n \"createdTimeUtc\": \"2021-04-13T22:27:59.0411717Z\",\r\n \"incidentNumber\": 11,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/055ddb69-f086-4765-89f2-dafe0b9c8e74\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -76,16 +76,16 @@
"RequestBody": "{\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "5511c935-87f5-46b7-8c52-5cd628b08d42"
+ "e6397e2a-a07f-4575-a411-b2f7ed13dd16"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -101,20 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1196"
+ ],
"x-ms-request-id": [
- "e4cf44e3-7504-41fe-9821-c0801fff108a"
+ "8f1d7a53-00a4-467b-92fd-67184ad5b034"
],
"x-ms-correlation-request-id": [
- "e4cf44e3-7504-41fe-9821-c0801fff108a"
+ "8f1d7a53-00a4-467b-92fd-67184ad5b034"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211208Z:e4cf44e3-7504-41fe-9821-c0801fff108a"
+ "WESTUS2:20210413T222759Z:8f1d7a53-00a4-467b-92fd-67184ad5b034"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -123,10 +123,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:07 GMT"
+ "Tue, 13 Apr 2021 22:27:59 GMT"
],
"Content-Length": [
- "734"
+ "631"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -135,7 +135,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/055ddb69-f086-4765-89f2-dafe0b9c8e74/Comments/3d67df3d-2b58-430b-9eb4-da652bf59c4a\",\r\n \"name\": \"3d67df3d-2b58-430b-9eb4-da652bf59c4a\",\r\n \"etag\": \"\\\"bd0093a3-0000-0100-0000-5fd28f280000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:08.3469792Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:08.3469792Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/055ddb69-f086-4765-89f2-dafe0b9c8e74/Comments/3d67df3d-2b58-430b-9eb4-da652bf59c4a\",\r\n \"name\": \"3d67df3d-2b58-430b-9eb4-da652bf59c4a\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\",\r\n \"createdTimeUtc\": \"2021-04-13T22:27:59.5477917Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n}",
"StatusCode": 201
},
{
@@ -145,16 +145,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "2a8559f3-0325-4f3b-a3a6-5ded21682d9a"
+ "4aa79e06-a915-46d5-98c3-b9522f24f8b3"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -164,20 +164,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14997"
+ ],
"x-ms-request-id": [
- "f5e7bece-aa42-49c0-9812-5d9eef84fe04"
+ "db8c3d93-dda2-4f9e-90fe-9fbe09f6985d"
],
"x-ms-correlation-request-id": [
- "f5e7bece-aa42-49c0-9812-5d9eef84fe04"
+ "db8c3d93-dda2-4f9e-90fe-9fbe09f6985d"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211208Z:f5e7bece-aa42-49c0-9812-5d9eef84fe04"
+ "WESTUS2:20210413T222759Z:db8c3d93-dda2-4f9e-90fe-9fbe09f6985d"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -186,7 +186,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:07 GMT"
+ "Tue, 13 Apr 2021 22:27:59 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/Get.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/Get.json
index 320048ac1553..03c9fb6442b6 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/Get.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/Get.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "66810179-3f93-47b9-bf77-eac26a8f90d1"
+ "12d72e1a-7587-418b-b69e-1c1e6769ca72"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,20 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "6b6480f1-7236-4092-9cb2-8191b3651fc2"
+ "d2a5aac8-a681-4ecf-ae38-5123818beb8f"
],
"x-ms-correlation-request-id": [
- "6b6480f1-7236-4092-9cb2-8191b3651fc2"
+ "d2a5aac8-a681-4ecf-ae38-5123818beb8f"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211210Z:6b6480f1-7236-4092-9cb2-8191b3651fc2"
+ "WESTUS2:20210413T222801Z:d2a5aac8-a681-4ecf-ae38-5123818beb8f"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -54,10 +54,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:09 GMT"
+ "Tue, 13 Apr 2021 22:28:00 GMT"
],
"Content-Length": [
- "1113"
+ "1115"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -66,7 +66,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/85f5ceeb-e5ae-47e5-991f-cbcbb080644c\",\r\n \"name\": \"85f5ceeb-e5ae-47e5-991f-cbcbb080644c\",\r\n \"etag\": \"\\\"bd009ca3-0000-0100-0000-5fd28f290000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:09.884083Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:09.884083Z\",\r\n \"incidentNumber\": 97,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/85f5ceeb-e5ae-47e5-991f-cbcbb080644c\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/85f5ceeb-e5ae-47e5-991f-cbcbb080644c\",\r\n \"name\": \"85f5ceeb-e5ae-47e5-991f-cbcbb080644c\",\r\n \"etag\": \"\\\"e0008992-0000-0100-0000-60761af10000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2021-04-13T22:28:01.1460861Z\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:01.1460861Z\",\r\n \"incidentNumber\": 12,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/85f5ceeb-e5ae-47e5-991f-cbcbb080644c\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -76,16 +76,16 @@
"RequestBody": "{\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "402fa58e-a7ec-4952-b1ad-d5d2d9da799d"
+ "95d4a2ec-7a45-49eb-a2e8-109815c31e8c"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -101,20 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "096f6781-77bf-4f85-baf0-7fdfbe610be9"
+ "1a91c102-7b00-4112-a3f7-3bb2e04f7915"
],
"x-ms-correlation-request-id": [
- "096f6781-77bf-4f85-baf0-7fdfbe610be9"
+ "1a91c102-7b00-4112-a3f7-3bb2e04f7915"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211210Z:096f6781-77bf-4f85-baf0-7fdfbe610be9"
+ "WESTUS2:20210413T222801Z:1a91c102-7b00-4112-a3f7-3bb2e04f7915"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -123,10 +123,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:09 GMT"
+ "Tue, 13 Apr 2021 22:28:00 GMT"
],
"Content-Length": [
- "734"
+ "631"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -135,7 +135,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/85f5ceeb-e5ae-47e5-991f-cbcbb080644c/Comments/5fb3ef3e-cdf9-4699-ae87-4da1af12a9a7\",\r\n \"name\": \"5fb3ef3e-cdf9-4699-ae87-4da1af12a9a7\",\r\n \"etag\": \"\\\"bd009da3-0000-0100-0000-5fd28f2a0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:10.1830084Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:10.1830084Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/85f5ceeb-e5ae-47e5-991f-cbcbb080644c/Comments/5fb3ef3e-cdf9-4699-ae87-4da1af12a9a7\",\r\n \"name\": \"5fb3ef3e-cdf9-4699-ae87-4da1af12a9a7\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:01.4441702Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n}",
"StatusCode": 201
},
{
@@ -145,16 +145,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "be917529-206a-4e20-be3e-b9db6efb3a63"
+ "6298e37b-9b91-4c5f-9a47-5cf31a0e40b3"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -164,20 +164,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
"x-ms-request-id": [
- "b5469503-61b2-45e8-a105-4be0336ab50e"
+ "e3dcda86-9bce-4f9f-9d6c-14e4f6e78968"
],
"x-ms-correlation-request-id": [
- "b5469503-61b2-45e8-a105-4be0336ab50e"
+ "e3dcda86-9bce-4f9f-9d6c-14e4f6e78968"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211210Z:b5469503-61b2-45e8-a105-4be0336ab50e"
+ "WESTUS2:20210413T222801Z:e3dcda86-9bce-4f9f-9d6c-14e4f6e78968"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -186,10 +186,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:09 GMT"
+ "Tue, 13 Apr 2021 22:28:00 GMT"
],
"Content-Length": [
- "734"
+ "631"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -198,7 +198,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/85f5ceeb-e5ae-47e5-991f-cbcbb080644c/Comments/5fb3ef3e-cdf9-4699-ae87-4da1af12a9a7\",\r\n \"name\": \"5fb3ef3e-cdf9-4699-ae87-4da1af12a9a7\",\r\n \"etag\": \"\\\"bd009da3-0000-0100-0000-5fd28f2a0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:10.1830084Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:10.1830084Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/85f5ceeb-e5ae-47e5-991f-cbcbb080644c/Comments/5fb3ef3e-cdf9-4699-ae87-4da1af12a9a7\",\r\n \"name\": \"5fb3ef3e-cdf9-4699-ae87-4da1af12a9a7\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:01.4441702Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -208,16 +208,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "08f0babc-bd65-48cf-8bd0-10fb497471f0"
+ "a16b0905-1e42-46f2-aa6b-c6d6d4230956"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -227,20 +227,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "d92e87cc-cfb6-4c90-bd36-d2b926f5fe02"
+ "fca53533-037f-4296-be88-9ca5e1bc59ef"
],
"x-ms-correlation-request-id": [
- "d92e87cc-cfb6-4c90-bd36-d2b926f5fe02"
+ "fca53533-037f-4296-be88-9ca5e1bc59ef"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211210Z:d92e87cc-cfb6-4c90-bd36-d2b926f5fe02"
+ "WESTUS2:20210413T222801Z:fca53533-037f-4296-be88-9ca5e1bc59ef"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -249,7 +249,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:09 GMT"
+ "Tue, 13 Apr 2021 22:28:01 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/List.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/List.json
index 7f4b90e8d9df..8b6ef0a5e8f3 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/List.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentCommentsTests/List.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "3f51c4b3-b62d-4131-b1e3-230c5f7b2a11"
+ "6f8f85ab-e2d1-4483-852e-b75fa3f1b8d6"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,20 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "7cc64fed-2afc-4879-9fed-4b7e76d3cd43"
+ "23ca09cf-5c35-4876-babb-7c89272bdf4d"
],
"x-ms-correlation-request-id": [
- "7cc64fed-2afc-4879-9fed-4b7e76d3cd43"
+ "23ca09cf-5c35-4876-babb-7c89272bdf4d"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211211Z:7cc64fed-2afc-4879-9fed-4b7e76d3cd43"
+ "WESTUS2:20210413T222803Z:23ca09cf-5c35-4876-babb-7c89272bdf4d"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -54,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:10 GMT"
+ "Tue, 13 Apr 2021 22:28:02 GMT"
],
"Content-Length": [
"1115"
@@ -66,7 +66,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b\",\r\n \"name\": \"9d9782b4-8896-414b-b22a-68618548ba5b\",\r\n \"etag\": \"\\\"bd00a1a3-0000-0100-0000-5fd28f2b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:11.5730203Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:11.5730203Z\",\r\n \"incidentNumber\": 98,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b\",\r\n \"name\": \"9d9782b4-8896-414b-b22a-68618548ba5b\",\r\n \"etag\": \"\\\"e0008e92-0000-0100-0000-60761af20000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2021-04-13T22:28:02.9011217Z\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:02.9011217Z\",\r\n \"incidentNumber\": 13,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -76,16 +76,16 @@
"RequestBody": "{\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "9e5d79bb-0227-4122-87e0-68ad2d9a44c4"
+ "22064edb-6948-4a51-82a5-300e19826b91"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -101,20 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "3f59d907-0f7e-40e3-9858-59de72244dae"
+ "7b385abd-902d-47d8-9ccc-40575ef61de9"
],
"x-ms-correlation-request-id": [
- "3f59d907-0f7e-40e3-9858-59de72244dae"
+ "7b385abd-902d-47d8-9ccc-40575ef61de9"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211211Z:3f59d907-0f7e-40e3-9858-59de72244dae"
+ "WESTUS2:20210413T222803Z:7b385abd-902d-47d8-9ccc-40575ef61de9"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -123,10 +123,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:11 GMT"
+ "Tue, 13 Apr 2021 22:28:03 GMT"
],
"Content-Length": [
- "734"
+ "631"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -135,7 +135,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b/Comments/9d639724-938d-4551-b7d6-ab89c9d8b7df\",\r\n \"name\": \"9d639724-938d-4551-b7d6-ab89c9d8b7df\",\r\n \"etag\": \"\\\"bd00a2a3-0000-0100-0000-5fd28f2b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:11.8336762Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:11.8336762Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b/Comments/9d639724-938d-4551-b7d6-ab89c9d8b7df\",\r\n \"name\": \"9d639724-938d-4551-b7d6-ab89c9d8b7df\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:03.4457171Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n}",
"StatusCode": 201
},
{
@@ -145,16 +145,16 @@
"RequestBody": "{\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest2\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "1326e442-df23-4fa5-a6ca-1020a651b8be"
+ "f3299a6d-d044-43da-aca6-134f7ee5e506"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -170,20 +170,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1197"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1197"
+ ],
"x-ms-request-id": [
- "0232af53-5521-428c-acaf-3b9d20883fe8"
+ "b898afb7-36e5-4255-ae24-3963f94d06f7"
],
"x-ms-correlation-request-id": [
- "0232af53-5521-428c-acaf-3b9d20883fe8"
+ "b898afb7-36e5-4255-ae24-3963f94d06f7"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211212Z:0232af53-5521-428c-acaf-3b9d20883fe8"
+ "WESTUS2:20210413T222803Z:b898afb7-36e5-4255-ae24-3963f94d06f7"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -192,10 +192,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:11 GMT"
+ "Tue, 13 Apr 2021 22:28:03 GMT"
],
"Content-Length": [
- "733"
+ "632"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -204,7 +204,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b/Comments/1dc74bd0-7b2b-4ff6-b4b8-d809193c36c1\",\r\n \"name\": \"1dc74bd0-7b2b-4ff6-b4b8-d809193c36c1\",\r\n \"etag\": \"\\\"bd00a6a3-0000-0100-0000-5fd28f2c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest2\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:12.076223Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:12.076223Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b/Comments/1dc74bd0-7b2b-4ff6-b4b8-d809193c36c1\",\r\n \"name\": \"1dc74bd0-7b2b-4ff6-b4b8-d809193c36c1\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest2\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:03.7132616Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n}",
"StatusCode": 201
},
{
@@ -214,16 +214,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "87fe4d3f-0fbc-473a-a703-9e5d69d19fc1"
+ "f0691b95-530d-4a52-80c6-111682f5ff15"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -233,20 +233,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11998"
+ ],
"x-ms-request-id": [
- "12785170-6321-4ced-bd59-015994f5dc07"
+ "d0f2dd17-ee34-4cd2-b115-1e4b09b97b9b"
],
"x-ms-correlation-request-id": [
- "12785170-6321-4ced-bd59-015994f5dc07"
+ "d0f2dd17-ee34-4cd2-b115-1e4b09b97b9b"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211212Z:12785170-6321-4ced-bd59-015994f5dc07"
+ "WESTUS2:20210413T222803Z:d0f2dd17-ee34-4cd2-b115-1e4b09b97b9b"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -255,10 +255,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:11 GMT"
+ "Tue, 13 Apr 2021 22:28:03 GMT"
],
"Content-Length": [
- "1480"
+ "1276"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -267,7 +267,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b/Comments/1dc74bd0-7b2b-4ff6-b4b8-d809193c36c1\",\r\n \"name\": \"1dc74bd0-7b2b-4ff6-b4b8-d809193c36c1\",\r\n \"etag\": \"\\\"bd00a6a3-0000-0100-0000-5fd28f2c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest2\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:12.076223Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:12.076223Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b/Comments/9d639724-938d-4551-b7d6-ab89c9d8b7df\",\r\n \"name\": \"9d639724-938d-4551-b7d6-ab89c9d8b7df\",\r\n \"etag\": \"\\\"bd00a2a3-0000-0100-0000-5fd28f2b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\",\r\n \"createdTimeUtc\": \"2020-12-10T21:12:11.8336762Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:12:11.8336762Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n }\r\n ]\r\n}",
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b/Comments/1dc74bd0-7b2b-4ff6-b4b8-d809193c36c1\",\r\n \"name\": \"1dc74bd0-7b2b-4ff6-b4b8-d809193c36c1\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest2\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:03.7132616Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9d9782b4-8896-414b-b22a-68618548ba5b/Comments/9d639724-938d-4551-b7d6-ab89c9d8b7df\",\r\n \"name\": \"9d639724-938d-4551-b7d6-ab89c9d8b7df\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents/Comments\",\r\n \"properties\": {\r\n \"message\": \"PoshModuleTest\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:03.4457171Z\",\r\n \"author\": {\r\n \"objectId\": \"14c93cf3-e5e3-45cf-8b4e-1a6f62bdf202\",\r\n \"email\": null,\r\n \"name\": \"Comment created from external application - azsposh\",\r\n \"userPrincipalName\": null\r\n }\r\n }\r\n }\r\n ]\r\n}",
"StatusCode": 200
},
{
@@ -277,16 +277,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "62eaf465-92ad-4b75-9df8-df3d62a4a945"
+ "d113431d-98e3-4621-8c1f-a9a7c0b26eca"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -296,20 +296,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "b36d044d-dc72-42bd-8418-9d95c262005e"
+ "fc9d2fb3-e1a0-4c41-9004-ba99f58696ca"
],
"x-ms-correlation-request-id": [
- "b36d044d-dc72-42bd-8418-9d95c262005e"
+ "fc9d2fb3-e1a0-4c41-9004-ba99f58696ca"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211212Z:b36d044d-dc72-42bd-8418-9d95c262005e"
+ "WESTUS2:20210413T222804Z:fc9d2fb3-e1a0-4c41-9004-ba99f58696ca"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -318,7 +318,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:12:11 GMT"
+ "Tue, 13 Apr 2021 22:28:03 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Create.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Create.json
index 0106fde71583..4fd6c3cfbd39 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Create.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Create.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "ab277141-db44-4c40-be55-0ce17f47b694"
+ "52f6bfe9-b392-4b49-bce7-8c33c4115dc2"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,20 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1197"
+ ],
"x-ms-request-id": [
- "d2b821e0-c48e-4b5f-bfcf-0c7047711bf2"
+ "a5b5bc44-2407-48f0-838f-5d474c6c278a"
],
"x-ms-correlation-request-id": [
- "d2b821e0-c48e-4b5f-bfcf-0c7047711bf2"
+ "a5b5bc44-2407-48f0-838f-5d474c6c278a"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211151Z:d2b821e0-c48e-4b5f-bfcf-0c7047711bf2"
+ "WESTUS2:20210413T222809Z:a5b5bc44-2407-48f0-838f-5d474c6c278a"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -54,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:50 GMT"
+ "Tue, 13 Apr 2021 22:28:09 GMT"
],
"Content-Length": [
"1115"
@@ -66,7 +66,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1877f91c-570c-46aa-8a2e-b2c6c3fd4a37\",\r\n \"name\": \"1877f91c-570c-46aa-8a2e-b2c6c3fd4a37\",\r\n \"etag\": \"\\\"bd005aa3-0000-0100-0000-5fd28f170000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:51.0583812Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:51.0583812Z\",\r\n \"incidentNumber\": 92,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1877f91c-570c-46aa-8a2e-b2c6c3fd4a37\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1877f91c-570c-46aa-8a2e-b2c6c3fd4a37\",\r\n \"name\": \"1877f91c-570c-46aa-8a2e-b2c6c3fd4a37\",\r\n \"etag\": \"\\\"e0009b92-0000-0100-0000-60761af90000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2021-04-13T22:28:09.1168485Z\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:09.1168485Z\",\r\n \"incidentNumber\": 17,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1877f91c-570c-46aa-8a2e-b2c6c3fd4a37\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -76,16 +76,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "063056bc-b99b-49b4-ab8f-54a375d824dd"
+ "369139f9-61f0-4af0-b0c7-da58a403879e"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -95,20 +95,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14998"
+ ],
"x-ms-request-id": [
- "c2703436-aa4f-4ab5-baa5-a165244ef5c5"
+ "67c104ab-1d73-4a4b-a775-419dd06a9c65"
],
"x-ms-correlation-request-id": [
- "c2703436-aa4f-4ab5-baa5-a165244ef5c5"
+ "67c104ab-1d73-4a4b-a775-419dd06a9c65"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211151Z:c2703436-aa4f-4ab5-baa5-a165244ef5c5"
+ "WESTUS2:20210413T222809Z:67c104ab-1d73-4a4b-a775-419dd06a9c65"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -117,7 +117,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:50 GMT"
+ "Tue, 13 Apr 2021 22:28:09 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Get.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Get.json
index 76218f4bb54e..ed538ed637ad 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Get.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Get.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "74141ac9-7e75-472f-b56e-dfa8d55894cd"
+ "e07343be-30f9-4125-b5f8-22a636034743"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,20 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "6e50e084-debd-48c2-9f08-1d2726a5792d"
+ "8df95d8e-1306-43f6-811b-e4eb720c4236"
],
"x-ms-correlation-request-id": [
- "6e50e084-debd-48c2-9f08-1d2726a5792d"
+ "8df95d8e-1306-43f6-811b-e4eb720c4236"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211152Z:6e50e084-debd-48c2-9f08-1d2726a5792d"
+ "WESTUS2:20210413T222810Z:8df95d8e-1306-43f6-811b-e4eb720c4236"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -54,10 +54,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:51 GMT"
+ "Tue, 13 Apr 2021 22:28:09 GMT"
],
"Content-Length": [
- "1113"
+ "1115"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -66,7 +66,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a45dd647-301b-427b-ac4c-6455f65d3081\",\r\n \"name\": \"a45dd647-301b-427b-ac4c-6455f65d3081\",\r\n \"etag\": \"\\\"bd005ca3-0000-0100-0000-5fd28f180000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:52.358693Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:52.358693Z\",\r\n \"incidentNumber\": 93,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a45dd647-301b-427b-ac4c-6455f65d3081\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a45dd647-301b-427b-ac4c-6455f65d3081\",\r\n \"name\": \"a45dd647-301b-427b-ac4c-6455f65d3081\",\r\n \"etag\": \"\\\"e0009c92-0000-0100-0000-60761afa0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2021-04-13T22:28:10.5957767Z\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:10.5957767Z\",\r\n \"incidentNumber\": 18,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a45dd647-301b-427b-ac4c-6455f65d3081\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -76,16 +76,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "7ed643ab-60e1-49d7-a521-484d3578121a"
+ "dbceb6bf-e364-4af5-bdb2-777dcd6fd0c1"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -95,20 +95,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
"x-ms-request-id": [
- "05687e94-2fae-4248-92e2-80446a1425f0"
+ "fa85443f-f5a4-4b25-95f1-5a7ba3a52585"
],
"x-ms-correlation-request-id": [
- "05687e94-2fae-4248-92e2-80446a1425f0"
+ "fa85443f-f5a4-4b25-95f1-5a7ba3a52585"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211152Z:05687e94-2fae-4248-92e2-80446a1425f0"
+ "WESTUS2:20210413T222810Z:fa85443f-f5a4-4b25-95f1-5a7ba3a52585"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -117,10 +117,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:51 GMT"
+ "Tue, 13 Apr 2021 22:28:09 GMT"
],
"Content-Length": [
- "1113"
+ "1115"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -129,7 +129,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a45dd647-301b-427b-ac4c-6455f65d3081\",\r\n \"name\": \"a45dd647-301b-427b-ac4c-6455f65d3081\",\r\n \"etag\": \"\\\"bd005ca3-0000-0100-0000-5fd28f180000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:52.358693Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:52.358693Z\",\r\n \"incidentNumber\": 93,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a45dd647-301b-427b-ac4c-6455f65d3081\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a45dd647-301b-427b-ac4c-6455f65d3081\",\r\n \"name\": \"a45dd647-301b-427b-ac4c-6455f65d3081\",\r\n \"etag\": \"\\\"e0009c92-0000-0100-0000-60761afa0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2021-04-13T22:28:10.5957767Z\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:10.5957767Z\",\r\n \"incidentNumber\": 18,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a45dd647-301b-427b-ac4c-6455f65d3081\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -139,16 +139,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "bad10ed4-92a2-4b6a-8329-643c06e3eda2"
+ "ac448ea6-4798-4908-8a53-2cab9cf585e3"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -158,20 +158,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "5063a41a-f543-4aad-9895-384eebc3c6af"
+ "331d7fdf-11c2-4f6b-8e8e-66583e443889"
],
"x-ms-correlation-request-id": [
- "5063a41a-f543-4aad-9895-384eebc3c6af"
+ "331d7fdf-11c2-4f6b-8e8e-66583e443889"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211152Z:5063a41a-f543-4aad-9895-384eebc3c6af"
+ "WESTUS2:20210413T222810Z:331d7fdf-11c2-4f6b-8e8e-66583e443889"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -180,7 +180,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:52 GMT"
+ "Tue, 13 Apr 2021 22:28:09 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/InputObject.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/InputObject.json
index b0c2918eede9..a95791c89c4b 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/InputObject.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/InputObject.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "88a71185-87b2-4ed7-84c1-8f5d1c4a030f"
+ "fdf168d7-ed48-4b29-95e2-faed2f0bb742"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,20 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "bc44be46-5f3e-474a-8a29-90598186c358"
+ "41d3ceb9-4102-4cd3-88a2-c232353981aa"
],
"x-ms-correlation-request-id": [
- "bc44be46-5f3e-474a-8a29-90598186c358"
+ "41d3ceb9-4102-4cd3-88a2-c232353981aa"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211155Z:bc44be46-5f3e-474a-8a29-90598186c358"
+ "WESTUS2:20210413T222814Z:41d3ceb9-4102-4cd3-88a2-c232353981aa"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -54,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:55 GMT"
+ "Tue, 13 Apr 2021 22:28:13 GMT"
],
"Content-Length": [
"1115"
@@ -66,26 +66,26 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"name\": \"1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"etag\": \"\\\"bd0068a3-0000-0100-0000-5fd28f1b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:55.5504153Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:55.5504153Z\",\r\n \"incidentNumber\": 95,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"name\": \"1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"etag\": \"\\\"e0009f92-0000-0100-0000-60761afd0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2021-04-13T22:28:13.9567656Z\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:13.9567656Z\",\r\n \"incidentNumber\": 20,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\"\r\n }\r\n}",
"StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/1624cb38-732b-4775-9aef-6206344b3b92?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvMTYyNGNiMzgtNzMyYi00Nzc1LTlhZWYtNjIwNjM0NGIzYjkyP2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"properties\": {\r\n \"labels\": [],\r\n \"owner\": {},\r\n \"severity\": \"Medium\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n },\r\n \"etag\": \"\\\"bd0068a3-0000-0100-0000-5fd28f1b0000\\\"\"\r\n}",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"labels\": [],\r\n \"owner\": {},\r\n \"severity\": \"Medium\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n },\r\n \"etag\": \"\\\"e0009f92-0000-0100-0000-60761afd0000\\\"\"\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "885ff512-9927-4189-abdb-6159cd14e9c3"
+ "96969c8c-23b7-457c-9ebf-2d1688c85530"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -101,20 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1197"
+ ],
"x-ms-request-id": [
- "b075f175-4cce-4275-acf8-4c0792f17479"
+ "69278cfe-65c6-437b-9225-14e2b0d771e5"
],
"x-ms-correlation-request-id": [
- "b075f175-4cce-4275-acf8-4c0792f17479"
+ "69278cfe-65c6-437b-9225-14e2b0d771e5"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211156Z:b075f175-4cce-4275-acf8-4c0792f17479"
+ "WESTUS2:20210413T222814Z:69278cfe-65c6-437b-9225-14e2b0d771e5"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -123,7 +123,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:55 GMT"
+ "Tue, 13 Apr 2021 22:28:13 GMT"
],
"Content-Length": [
"1118"
@@ -135,7 +135,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"name\": \"1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"etag\": \"\\\"bd0069a3-0000-0100-0000-5fd28f1b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Medium\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:55.9824847Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:55.5504153Z\",\r\n \"incidentNumber\": 95,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"name\": \"1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"etag\": \"\\\"e000a192-0000-0100-0000-60761afe0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Medium\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2021-04-13T22:28:14.2829835Z\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:13.9567656Z\",\r\n \"incidentNumber\": 20,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -145,16 +145,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "a4fe7bb9-ced7-43c7-8411-4f8d48cbc9dd"
+ "96969c8c-23b7-457c-9ebf-2d1688c85530"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -164,20 +164,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
"x-ms-request-id": [
- "9c2ccd12-2d04-48b8-bcad-6524b28af693"
+ "c8d4800e-dde1-474a-80b7-18aee4d4d3ce"
],
"x-ms-correlation-request-id": [
- "9c2ccd12-2d04-48b8-bcad-6524b28af693"
+ "c8d4800e-dde1-474a-80b7-18aee4d4d3ce"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211155Z:9c2ccd12-2d04-48b8-bcad-6524b28af693"
+ "WESTUS2:20210413T222814Z:c8d4800e-dde1-474a-80b7-18aee4d4d3ce"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -186,7 +186,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:55 GMT"
+ "Tue, 13 Apr 2021 22:28:13 GMT"
],
"Content-Length": [
"1115"
@@ -198,7 +198,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"name\": \"1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"etag\": \"\\\"bd0068a3-0000-0100-0000-5fd28f1b0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:55.5504153Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:55.5504153Z\",\r\n \"incidentNumber\": 95,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"name\": \"1624cb38-732b-4775-9aef-6206344b3b92\",\r\n \"etag\": \"\\\"e0009f92-0000-0100-0000-60761afd0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2021-04-13T22:28:13.9567656Z\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:13.9567656Z\",\r\n \"incidentNumber\": 20,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1624cb38-732b-4775-9aef-6206344b3b92\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -208,16 +208,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "96ae8cfb-e9d6-428c-b897-7adc7218b0d5"
+ "53e1d80a-5867-43c4-a38e-a52578381517"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -227,20 +227,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14998"
+ ],
"x-ms-request-id": [
- "1f1a3b78-ba18-4879-908a-58da94591bf9"
+ "857ea1e5-efdd-4c68-8ed5-c93bba0e356e"
],
"x-ms-correlation-request-id": [
- "1f1a3b78-ba18-4879-908a-58da94591bf9"
+ "857ea1e5-efdd-4c68-8ed5-c93bba0e356e"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211156Z:1f1a3b78-ba18-4879-908a-58da94591bf9"
+ "WESTUS2:20210413T222814Z:857ea1e5-efdd-4c68-8ed5-c93bba0e356e"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -249,7 +249,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:55 GMT"
+ "Tue, 13 Apr 2021 22:28:14 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/List.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/List.json
index 3943ee36f619..316eae4db16b 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/List.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/List.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "ed4700bf-3504-4232-860d-60cf9f540458"
+ "fd6c8301-cea0-41c9-be65-e9b1b36bda83"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,20 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "1a1a6abf-0626-4f65-94a1-bb9ff966203c"
+ "ca3a0586-4b3b-4bed-94de-c51f1e70e989"
],
"x-ms-correlation-request-id": [
- "1a1a6abf-0626-4f65-94a1-bb9ff966203c"
+ "ca3a0586-4b3b-4bed-94de-c51f1e70e989"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211146Z:1a1a6abf-0626-4f65-94a1-bb9ff966203c"
+ "WESTUS2:20210413T222805Z:ca3a0586-4b3b-4bed-94de-c51f1e70e989"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -54,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:45 GMT"
+ "Tue, 13 Apr 2021 22:28:04 GMT"
],
"Content-Length": [
"1115"
@@ -66,7 +66,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9948fe0a-433c-4230-ab18-41ba430d68bc\",\r\n \"name\": \"9948fe0a-433c-4230-ab18-41ba430d68bc\",\r\n \"etag\": \"\\\"bd004da3-0000-0100-0000-5fd28f120000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:46.6741544Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:46.6741544Z\",\r\n \"incidentNumber\": 89,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9948fe0a-433c-4230-ab18-41ba430d68bc\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9948fe0a-433c-4230-ab18-41ba430d68bc\",\r\n \"name\": \"9948fe0a-433c-4230-ab18-41ba430d68bc\",\r\n \"etag\": \"\\\"e0009392-0000-0100-0000-60761af50000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2021-04-13T22:28:05.3849274Z\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:05.3849274Z\",\r\n \"incidentNumber\": 14,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9948fe0a-433c-4230-ab18-41ba430d68bc\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -76,16 +76,16 @@
"RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest2\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "a9569612-657a-4625-a695-567470301222"
+ "7f853e65-bd2c-491b-b3e0-78623fbfa77b"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -101,20 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1197"
+ ],
"x-ms-request-id": [
- "7f194bb1-1e39-4305-b96f-2a44b14a0d6c"
+ "2e3a326c-fd8c-44ca-b41b-6dc2238ce4d7"
],
"x-ms-correlation-request-id": [
- "7f194bb1-1e39-4305-b96f-2a44b14a0d6c"
+ "2e3a326c-fd8c-44ca-b41b-6dc2238ce4d7"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211147Z:7f194bb1-1e39-4305-b96f-2a44b14a0d6c"
+ "WESTUS2:20210413T222805Z:2e3a326c-fd8c-44ca-b41b-6dc2238ce4d7"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -123,7 +123,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:46 GMT"
+ "Tue, 13 Apr 2021 22:28:04 GMT"
],
"Content-Length": [
"1116"
@@ -135,7 +135,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/93a8577f-b4e6-4225-9240-57bd52238502\",\r\n \"name\": \"93a8577f-b4e6-4225-9240-57bd52238502\",\r\n \"etag\": \"\\\"bd004ea3-0000-0100-0000-5fd28f120000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest2\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:46.9390899Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:46.9390899Z\",\r\n \"incidentNumber\": 90,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/93a8577f-b4e6-4225-9240-57bd52238502\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/93a8577f-b4e6-4225-9240-57bd52238502\",\r\n \"name\": \"93a8577f-b4e6-4225-9240-57bd52238502\",\r\n \"etag\": \"\\\"e0009492-0000-0100-0000-60761af50000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest2\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2021-04-13T22:28:05.6070733Z\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:05.6070733Z\",\r\n \"incidentNumber\": 15,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/93a8577f-b4e6-4225-9240-57bd52238502\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -145,16 +145,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "1e28d23f-e683-45f7-8eb3-70a9deea9d30"
+ "88fe5606-f5c4-45ac-85e5-6a6f20504528"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -164,20 +164,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11998"
+ ],
"x-ms-request-id": [
- "1477309a-ad9f-421a-bc27-46c8a4394f82"
+ "9c4e9b62-f43b-420d-ad93-436743f7359a"
],
"x-ms-correlation-request-id": [
- "1477309a-ad9f-421a-bc27-46c8a4394f82"
+ "9c4e9b62-f43b-420d-ad93-436743f7359a"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211147Z:1477309a-ad9f-421a-bc27-46c8a4394f82"
+ "WESTUS2:20210413T222805Z:9c4e9b62-f43b-420d-ad93-436743f7359a"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -186,10 +186,10 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:46 GMT"
+ "Tue, 13 Apr 2021 22:28:05 GMT"
],
"Content-Length": [
- "51001"
+ "2244"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -198,7 +198,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/93a8577f-b4e6-4225-9240-57bd52238502\",\r\n \"name\": \"93a8577f-b4e6-4225-9240-57bd52238502\",\r\n \"etag\": \"\\\"bd004ea3-0000-0100-0000-5fd28f120000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest2\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:46.9390899Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:46.9390899Z\",\r\n \"incidentNumber\": 90,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/93a8577f-b4e6-4225-9240-57bd52238502\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9948fe0a-433c-4230-ab18-41ba430d68bc\",\r\n \"name\": \"9948fe0a-433c-4230-ab18-41ba430d68bc\",\r\n \"etag\": \"\\\"bd004da3-0000-0100-0000-5fd28f120000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:46.6741544Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:46.6741544Z\",\r\n \"incidentNumber\": 89,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9948fe0a-433c-4230-ab18-41ba430d68bc\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/98fcdc48-02d3-40b3-830d-956cfb36cca0\",\r\n \"name\": \"98fcdc48-02d3-40b3-830d-956cfb36cca0\",\r\n \"etag\": \"\\\"af003351-0000-0100-0000-5fd0165f0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"MTP File activity alert\",\r\n \"description\": \"MTP File activity alert\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-08T23:42:57.4748629Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-08T23:42:57.4748629Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-09T00:12:15.0675603Z\",\r\n \"createdTimeUtc\": \"2020-12-09T00:02:01.4689098Z\",\r\n \"incidentNumber\": 78,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": []\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-09T00:02:01.3520357Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-09T00:02:01.3520357Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/98fcdc48-02d3-40b3-830d-956cfb36cca0\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/fbd6d4a7-ca9c-4305-a465-ab99f342b2b5\",\r\n \"name\": \"fbd6d4a7-ca9c-4305-a465-ab99f342b2b5\",\r\n \"etag\": \"\\\"a700d02c-0000-0100-0000-5fcffedb0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"CEE Azure Sentinel Rock!!! 10:22\",\r\n \"description\": \"CEE Azure Sentinel Rock!!! 10:22\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-08T22:13:20.7043059Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-08T22:13:20.7043059Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-08T22:31:55.7121156Z\",\r\n \"createdTimeUtc\": \"2020-12-08T22:31:55.7121156Z\",\r\n \"incidentNumber\": 77,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ]\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-08T22:31:55.6563304Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-08T22:31:55.6563304Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/fbd6d4a7-ca9c-4305-a465-ab99f342b2b5\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e7171545-cbb7-410a-8e20-f75f527907de\",\r\n \"name\": \"e7171545-cbb7-410a-8e20-f75f527907de\",\r\n \"etag\": \"\\\"a200191b-0000-0100-0000-5fcff5640000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"MTP File activity alert\",\r\n \"description\": \"MTP File activity alert\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-08T21:38:30.7987903Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-08T21:38:30.7987903Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-08T21:51:32.263406Z\",\r\n \"createdTimeUtc\": \"2020-12-08T21:51:32.263406Z\",\r\n \"incidentNumber\": 76,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": []\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-08T21:51:32.2119971Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-08T21:51:32.2119971Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e7171545-cbb7-410a-8e20-f75f527907de\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e7f03f88-68f4-40d9-b05e-8700cfdbc43e\",\r\n \"name\": \"e7f03f88-68f4-40d9-b05e-8700cfdbc43e\",\r\n \"etag\": \"\\\"7f00a1fc-0000-0100-0000-5fcf954c0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"MTP Sync - Yanivsh\",\r\n \"description\": \"MTP Sync - Yanivsh\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-08T14:34:17.084673Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-08T14:34:17.084673Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-08T15:01:32.4334481Z\",\r\n \"createdTimeUtc\": \"2020-12-08T15:01:32.4334481Z\",\r\n \"incidentNumber\": 75,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ]\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-08T15:01:32.3621186Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-08T15:01:32.3621186Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e7f03f88-68f4-40d9-b05e-8700cfdbc43e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e8ad468a-71b3-41b5-9723-16676232ef49\",\r\n \"name\": \"e8ad468a-71b3-41b5-9723-16676232ef49\",\r\n \"etag\": \"\\\"7f005efc-0000-0100-0000-5fcf942e0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"CEE Azure Sentinel Rock!!! 10:22\",\r\n \"description\": \"CEE Azure Sentinel Rock!!! 10:22\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-08T14:29:49.0938867Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-08T14:29:49.0938867Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-08T14:56:46.187193Z\",\r\n \"createdTimeUtc\": \"2020-12-08T14:56:46.187193Z\",\r\n \"incidentNumber\": 74,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ]\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-08T14:56:32.5704583Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-08T14:56:32.5704583Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e8ad468a-71b3-41b5-9723-16676232ef49\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/fc26f90c-2134-4de2-bd42-279fba4cbf57\",\r\n \"name\": \"fc26f90c-2134-4de2-bd42-279fba4cbf57\",\r\n \"etag\": \"\\\"7f0014f9-0000-0100-0000-5fcf8c0f0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"MTP File activity alert\",\r\n \"description\": \"MTP File activity alert\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-08T14:05:01.1326784Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-08T14:05:01.1326784Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-08T14:22:07.355655Z\",\r\n \"createdTimeUtc\": \"2020-12-08T14:22:07.355655Z\",\r\n \"incidentNumber\": 73,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": []\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-08T14:22:07.2882692Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-08T14:22:07.2882692Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/fc26f90c-2134-4de2-bd42-279fba4cbf57\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/db63eb23-6b5c-4810-92ce-53fa5937178f\",\r\n \"name\": \"db63eb23-6b5c-4810-92ce-53fa5937178f\",\r\n \"etag\": \"\\\"62005cd4-0000-0100-0000-5fcf39fe0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"CEE Azure Sentinel Rock!!! 10:22\",\r\n \"description\": \"CEE Azure Sentinel Rock!!! 10:22\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-08T03:50:17.6487678Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-08T03:50:17.6487678Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-08T08:31:58.2820319Z\",\r\n \"createdTimeUtc\": \"2020-12-08T08:31:58.2820319Z\",\r\n \"incidentNumber\": 72,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": [\r\n \"CredentialAccess\"\r\n ]\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-08T08:31:58.188433Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-08T08:31:58.188433Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/db63eb23-6b5c-4810-92ce-53fa5937178f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/ef17f26c-25e0-465a-9390-5dfc2fa62bde\",\r\n \"name\": \"ef17f26c-25e0-465a-9390-5dfc2fa62bde\",\r\n \"etag\": \"\\\"61002cc0-0000-0100-0000-5fcf2c050000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"MTP Sync - Yanivsh\",\r\n \"description\": \"MTP Sync - Yanivsh\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-08T07:18:05.8786345Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-08T07:18:05.8786345Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-08T07:32:21.0005158Z\",\r\n \"createdTimeUtc\": \"2020-12-08T07:32:21.0005158Z\",\r\n \"incidentNumber\": 71,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": [\r\n \"InitialAccess\"\r\n ]\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-08T07:32:20.9413713Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-08T07:32:20.9413713Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/ef17f26c-25e0-465a-9390-5dfc2fa62bde\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/3b73c374-dd2e-4d0c-9bfc-e38de9a02b8e\",\r\n \"name\": \"3b73c374-dd2e-4d0c-9bfc-e38de9a02b8e\",\r\n \"etag\": \"\\\"5c006f5c-0000-0100-0000-5fcef0fa0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-08T03:20:26.5509969Z\",\r\n \"createdTimeUtc\": \"2020-12-08T03:20:26.5509969Z\",\r\n \"incidentNumber\": 68,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/3b73c374-dd2e-4d0c-9bfc-e38de9a02b8e\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/af9792ba-857a-49f9-9ab0-cae6a4ea7a25\",\r\n \"name\": \"af9792ba-857a-49f9-9ab0-cae6a4ea7a25\",\r\n \"etag\": \"\\\"5c000158-0000-0100-0000-5fcef0c60000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-08T03:19:34.1416452Z\",\r\n \"createdTimeUtc\": \"2020-12-08T03:19:34.1416452Z\",\r\n \"incidentNumber\": 67,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/af9792ba-857a-49f9-9ab0-cae6a4ea7a25\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/004e4954-edd5-47aa-a745-107c8be9e8b1\",\r\n \"name\": \"004e4954-edd5-47aa-a745-107c8be9e8b1\",\r\n \"etag\": \"\\\"5c009838-0000-0100-0000-5fceef5a0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-08T03:13:30.7115451Z\",\r\n \"createdTimeUtc\": \"2020-12-08T03:13:30.7115451Z\",\r\n \"incidentNumber\": 63,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/004e4954-edd5-47aa-a745-107c8be9e8b1\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/13d697e9-dec5-4aa3-980c-578328767961\",\r\n \"name\": \"13d697e9-dec5-4aa3-980c-578328767961\",\r\n \"etag\": \"\\\"5c000f38-0000-0100-0000-5fceef540000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-08T03:13:24.8080045Z\",\r\n \"createdTimeUtc\": \"2020-12-08T03:13:24.8080045Z\",\r\n \"incidentNumber\": 59,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/13d697e9-dec5-4aa3-980c-578328767961\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/ed5610fb-d221-4006-82c3-7a296f0e89b6\",\r\n \"name\": \"ed5610fb-d221-4006-82c3-7a296f0e89b6\",\r\n \"etag\": \"\\\"5c00df2f-0000-0100-0000-5fceeefc0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-08T03:11:56.310588Z\",\r\n \"createdTimeUtc\": \"2020-12-08T03:11:56.310588Z\",\r\n \"incidentNumber\": 53,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/ed5610fb-d221-4006-82c3-7a296f0e89b6\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e45ff961-9ac7-4cd1-9f3f-92578ac007ce\",\r\n \"name\": \"e45ff961-9ac7-4cd1-9f3f-92578ac007ce\",\r\n \"etag\": \"\\\"5c00512f-0000-0100-0000-5fceeef60000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-08T03:11:50.6729196Z\",\r\n \"createdTimeUtc\": \"2020-12-08T03:11:50.6729196Z\",\r\n \"incidentNumber\": 49,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e45ff961-9ac7-4cd1-9f3f-92578ac007ce\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/2a8b581f-20cb-49a9-93e8-a98f31d7c150\",\r\n \"name\": \"2a8b581f-20cb-49a9-93e8-a98f31d7c150\",\r\n \"etag\": \"\\\"58004518-0000-0100-0000-5fce7d570000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"MTP File activity alert\",\r\n \"description\": \"MTP File activity alert\",\r\n \"severity\": \"High\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"firstActivityTimeUtc\": \"2020-12-07T18:48:34.3363505Z\",\r\n \"lastActivityTimeUtc\": \"2020-12-07T18:48:34.3363505Z\",\r\n \"lastModifiedTimeUtc\": \"2020-12-07T19:07:03.5640939Z\",\r\n \"createdTimeUtc\": \"2020-12-07T19:07:03.5640939Z\",\r\n \"incidentNumber\": 46,\r\n \"additionalData\": {\r\n \"alertsCount\": 1,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [\r\n \"Microsoft Defender Advanced Threat Protection\"\r\n ],\r\n \"tactics\": []\r\n },\r\n \"firstActivityTimeGenerated\": \"2020-12-07T19:07:03.4926642Z\",\r\n \"lastActivityTimeGenerated\": \"2020-12-07T19:07:03.4926642Z\",\r\n \"relatedAnalyticRuleIds\": [\r\n \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/alertRules/209ed12a-e19a-4a05-9d81-e11d2be3cafa\"\r\n ],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/2a8b581f-20cb-49a9-93e8-a98f31d7c150\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9ad4e331-42c9-4629-a77d-6067d823c537\",\r\n \"name\": \"9ad4e331-42c9-4629-a77d-6067d823c537\",\r\n \"etag\": \"\\\"c80034c8-0000-0100-0000-5fc6b9e50000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"description\": \"\",\r\n \"severity\": \"Medium\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": \"73175b58-b9d7-49eb-b315-7f792a03e380\",\r\n \"email\": \"tiandert@buildseccxpninja.onmicrosoft.com\",\r\n \"assignedTo\": \"Tiander Turpijn\",\r\n \"userPrincipalName\": \"tiandert@buildseccxpninja.onmicrosoft.com\"\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-01T21:47:17.1929778Z\",\r\n \"createdTimeUtc\": \"2020-11-29T23:37:21.077359Z\",\r\n \"incidentNumber\": 45,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 1,\r\n \"commentsCount\": 1,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9ad4e331-42c9-4629-a77d-6067d823c537\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/24a9d0ef-a43c-43a6-a96e-fb0a5bf2ac86\",\r\n \"name\": \"24a9d0ef-a43c-43a6-a96e-fb0a5bf2ac86\",\r\n \"etag\": \"\\\"a2003222-0000-0100-0000-5fc433a90000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-29T23:50:01.3150768Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:45:36.1963838Z\",\r\n \"incidentNumber\": 32,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 1,\r\n \"commentsCount\": 2,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/24a9d0ef-a43c-43a6-a96e-fb0a5bf2ac86\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/8a649275-21e0-4a3f-a6cd-d7a1598fee6a\",\r\n \"name\": \"8a649275-21e0-4a3f-a6cd-d7a1598fee6a\",\r\n \"etag\": \"\\\"1e00921c-0000-0100-0000-5fbc1f500000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:45:04.1765042Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:45:04.1765042Z\",\r\n \"incidentNumber\": 31,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/8a649275-21e0-4a3f-a6cd-d7a1598fee6a\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/57b16c90-3bf2-4c14-884f-4acc0a88c6e0\",\r\n \"name\": \"57b16c90-3bf2-4c14-884f-4acc0a88c6e0\",\r\n \"etag\": \"\\\"1e00b719-0000-0100-0000-5fbc1f230000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:44:19.4658389Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:44:19.4658389Z\",\r\n \"incidentNumber\": 30,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/57b16c90-3bf2-4c14-884f-4acc0a88c6e0\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4541d8a2-0883-454b-8066-186cbe095558\",\r\n \"name\": \"4541d8a2-0883-454b-8066-186cbe095558\",\r\n \"etag\": \"\\\"1e000e15-0000-0100-0000-5fbc1ed90000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:43:05.7558114Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:43:05.3753439Z\",\r\n \"incidentNumber\": 28,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 1,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4541d8a2-0883-454b-8066-186cbe095558\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/f43365b7-e355-47d6-a5d4-578e7a57be37\",\r\n \"name\": \"f43365b7-e355-47d6-a5d4-578e7a57be37\",\r\n \"etag\": \"\\\"1e005f13-0000-0100-0000-5fbc1eb70000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:42:31.1301819Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:42:30.7228533Z\",\r\n \"incidentNumber\": 27,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 1,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/f43365b7-e355-47d6-a5d4-578e7a57be37\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/2992b2dd-bea0-49eb-bb3b-7c25df8a55fb\",\r\n \"name\": \"2992b2dd-bea0-49eb-bb3b-7c25df8a55fb\",\r\n \"etag\": \"\\\"1e007d11-0000-0100-0000-5fbc1e800000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:41:36.5956726Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:41:36.5956726Z\",\r\n \"incidentNumber\": 25,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/2992b2dd-bea0-49eb-bb3b-7c25df8a55fb\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/bdb9b1a2-b1cf-4b2d-981b-ebf5cf896d16\",\r\n \"name\": \"bdb9b1a2-b1cf-4b2d-981b-ebf5cf896d16\",\r\n \"etag\": \"\\\"a3008448-0000-0100-0000-5fc439f70000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [\r\n {\r\n \"labelName\": \"test\",\r\n \"labelType\": \"User\"\r\n }\r\n ],\r\n \"lastModifiedTimeUtc\": \"2020-11-30T00:16:55.0086648Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:41:02.1446955Z\",\r\n \"incidentNumber\": 24,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/bdb9b1a2-b1cf-4b2d-981b-ebf5cf896d16\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/168cea98-4380-46bf-a62c-de008cdea3ff\",\r\n \"name\": \"168cea98-4380-46bf-a62c-de008cdea3ff\",\r\n \"etag\": \"\\\"1e00560e-0000-0100-0000-5fbc1d240000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:35:48.2045285Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:35:48.2045285Z\",\r\n \"incidentNumber\": 23,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/168cea98-4380-46bf-a62c-de008cdea3ff\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/19c1a62d-4643-4a64-b551-b5c18e6f9660\",\r\n \"name\": \"19c1a62d-4643-4a64-b551-b5c18e6f9660\",\r\n \"etag\": \"\\\"1e00bb0d-0000-0100-0000-5fbc1d040000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:35:16.6872236Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:35:16.6872236Z\",\r\n \"incidentNumber\": 22,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/19c1a62d-4643-4a64-b551-b5c18e6f9660\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/2bd37e65-3a44-40e6-b06b-65579b178214\",\r\n \"name\": \"2bd37e65-3a44-40e6-b06b-65579b178214\",\r\n \"etag\": \"\\\"1e00660c-0000-0100-0000-5fbc1cb10000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:33:53.599723Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:33:53.599723Z\",\r\n \"incidentNumber\": 21,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/2bd37e65-3a44-40e6-b06b-65579b178214\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/3943df6b-c886-4eb4-8303-341cb34bb2c7\",\r\n \"name\": \"3943df6b-c886-4eb4-8303-341cb34bb2c7\",\r\n \"etag\": \"\\\"1e009e0b-0000-0100-0000-5fbc1c8a0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:33:14.3058272Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:33:14.3058272Z\",\r\n \"incidentNumber\": 20,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/3943df6b-c886-4eb4-8303-341cb34bb2c7\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/cb83e51c-f94d-45f0-ad19-6bd2e80026f6\",\r\n \"name\": \"cb83e51c-f94d-45f0-ad19-6bd2e80026f6\",\r\n \"etag\": \"\\\"1e00860a-0000-0100-0000-5fbc1c550000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:32:21.6790712Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:32:21.6790712Z\",\r\n \"incidentNumber\": 19,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/cb83e51c-f94d-45f0-ad19-6bd2e80026f6\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/338a12ce-c46b-4e7b-bd9a-6fdbced79a64\",\r\n \"name\": \"338a12ce-c46b-4e7b-bd9a-6fdbced79a64\",\r\n \"etag\": \"\\\"1e003d07-0000-0100-0000-5fbc1c1e0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:31:26.8920339Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:31:26.8920339Z\",\r\n \"incidentNumber\": 18,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/338a12ce-c46b-4e7b-bd9a-6fdbced79a64\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a9c55386-be06-40ef-b909-48c4abcc696f\",\r\n \"name\": \"a9c55386-be06-40ef-b909-48c4abcc696f\",\r\n \"etag\": \"\\\"1e00f704-0000-0100-0000-5fbc1c030000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:30:59.2614436Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:30:59.2614436Z\",\r\n \"incidentNumber\": 17,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a9c55386-be06-40ef-b909-48c4abcc696f\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/b8578956-c86e-4d9b-b950-98a955102d08\",\r\n \"name\": \"b8578956-c86e-4d9b-b950-98a955102d08\",\r\n \"etag\": \"\\\"1e00fe01-0000-0100-0000-5fbc1be30000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:30:27.0263621Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:30:27.0263621Z\",\r\n \"incidentNumber\": 16,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/b8578956-c86e-4d9b-b950-98a955102d08\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/d8ba1aed-e64b-4fe4-9fba-8bb95b098f67\",\r\n \"name\": \"d8ba1aed-e64b-4fe4-9fba-8bb95b098f67\",\r\n \"etag\": \"\\\"1d0008fd-0000-0100-0000-5fbc1b9d0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:29:17.9413965Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:29:17.9413965Z\",\r\n \"incidentNumber\": 15,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/d8ba1aed-e64b-4fe4-9fba-8bb95b098f67\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e10a00b2-c388-4ad9-9897-2b444a8fe50d\",\r\n \"name\": \"e10a00b2-c388-4ad9-9897-2b444a8fe50d\",\r\n \"etag\": \"\\\"1d0045f2-0000-0100-0000-5fbc1aee0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:26:21.9796208Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:26:21.9796208Z\",\r\n \"incidentNumber\": 8,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/e10a00b2-c388-4ad9-9897-2b444a8fe50d\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1ae861a1-c949-42c1-8c37-5f382d99fac3\",\r\n \"name\": \"1ae861a1-c949-42c1-8c37-5f382d99fac3\",\r\n \"etag\": \"\\\"1d0092ef-0000-0100-0000-5fbc1ab20000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:25:22.0712913Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:25:22.0712913Z\",\r\n \"incidentNumber\": 6,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/1ae861a1-c949-42c1-8c37-5f382d99fac3\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/f1a89b23-0c09-4a6c-af77-7935e1b87797\",\r\n \"name\": \"f1a89b23-0c09-4a6c-af77-7935e1b87797\",\r\n \"etag\": \"\\\"1d008eef-0000-0100-0000-5fbc1ab00000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:25:20.5970746Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:25:20.5970746Z\",\r\n \"incidentNumber\": 5,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/f1a89b23-0c09-4a6c-af77-7935e1b87797\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/061c9297-d356-485e-9676-b44cf9b0df92\",\r\n \"name\": \"061c9297-d356-485e-9676-b44cf9b0df92\",\r\n \"etag\": \"\\\"1d008def-0000-0100-0000-5fbc1aaf0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:25:19.2307468Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:25:19.2307468Z\",\r\n \"incidentNumber\": 4,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/061c9297-d356-485e-9676-b44cf9b0df92\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/2da34951-449e-463b-bd0a-d771af82e590\",\r\n \"name\": \"2da34951-449e-463b-bd0a-d771af82e590\",\r\n \"etag\": \"\\\"1d0088ef-0000-0100-0000-5fbc1aad0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest2\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:25:17.5717541Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:25:17.5717541Z\",\r\n \"incidentNumber\": 3,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/2da34951-449e-463b-bd0a-d771af82e590\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a537c5e1-4d52-44cb-b012-83c9d8437207\",\r\n \"name\": \"a537c5e1-4d52-44cb-b012-83c9d8437207\",\r\n \"etag\": \"\\\"1d0087ef-0000-0100-0000-5fbc1aad0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-23T20:25:17.3157001Z\",\r\n \"createdTimeUtc\": \"2020-11-23T20:25:17.3157001Z\",\r\n \"incidentNumber\": 2,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a537c5e1-4d52-44cb-b012-83c9d8437207\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/808b10de-0841-40c1-ba57-75a05f98ad01\",\r\n \"name\": \"808b10de-0841-40c1-ba57-75a05f98ad01\",\r\n \"etag\": \"\\\"0100a486-0000-0100-0000-5fb89e920000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"testapi\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-11-19T00:16:50.0225943Z\",\r\n \"createdTimeUtc\": \"2020-11-11T23:35:52.6826913Z\",\r\n \"incidentNumber\": 1,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 1,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/808b10de-0841-40c1-ba57-75a05f98ad01\"\r\n }\r\n }\r\n ]\r\n}",
+ "ResponseBody": "{\r\n \"value\": [\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/93a8577f-b4e6-4225-9240-57bd52238502\",\r\n \"name\": \"93a8577f-b4e6-4225-9240-57bd52238502\",\r\n \"etag\": \"\\\"e0009492-0000-0100-0000-60761af50000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest2\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2021-04-13T22:28:05.6070733Z\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:05.6070733Z\",\r\n \"incidentNumber\": 15,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/93a8577f-b4e6-4225-9240-57bd52238502\"\r\n }\r\n },\r\n {\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9948fe0a-433c-4230-ab18-41ba430d68bc\",\r\n \"name\": \"9948fe0a-433c-4230-ab18-41ba430d68bc\",\r\n \"etag\": \"\\\"e0009392-0000-0100-0000-60761af50000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2021-04-13T22:28:05.3849274Z\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:05.3849274Z\",\r\n \"incidentNumber\": 14,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/9948fe0a-433c-4230-ab18-41ba430d68bc\"\r\n }\r\n }\r\n ]\r\n}",
"StatusCode": 200
},
{
@@ -208,16 +208,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "1aa4abe4-3730-40fe-955b-d595936a33b3"
+ "45d8caad-a9a1-404e-8c9e-c5593dcf51c2"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -227,20 +227,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14998"
+ ],
"x-ms-request-id": [
- "988ea313-ba18-44b8-a1ea-57aefd302c29"
+ "073d678a-e8da-4745-bc3f-00df6ec43610"
],
"x-ms-correlation-request-id": [
- "988ea313-ba18-44b8-a1ea-57aefd302c29"
+ "073d678a-e8da-4745-bc3f-00df6ec43610"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211147Z:988ea313-ba18-44b8-a1ea-57aefd302c29"
+ "WESTUS2:20210413T222806Z:073d678a-e8da-4745-bc3f-00df6ec43610"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -249,7 +249,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:46 GMT"
+ "Tue, 13 Apr 2021 22:28:05 GMT"
],
"Content-Length": [
"2"
@@ -271,16 +271,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "36bf4015-5b8f-4801-b332-29a1ef69eefc"
+ "789ee7b0-d9a8-4228-9aa8-44bb1c9b6cbc"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -290,20 +290,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14998"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14997"
+ ],
"x-ms-request-id": [
- "7d58c328-7c2e-45ec-a712-f831cc35027d"
+ "0ce70dcb-57d6-4571-a1b0-e9c671922ce1"
],
"x-ms-correlation-request-id": [
- "7d58c328-7c2e-45ec-a712-f831cc35027d"
+ "0ce70dcb-57d6-4571-a1b0-e9c671922ce1"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211147Z:7d58c328-7c2e-45ec-a712-f831cc35027d"
+ "WESTUS2:20210413T222806Z:0ce70dcb-57d6-4571-a1b0-e9c671922ce1"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -312,7 +312,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:46 GMT"
+ "Tue, 13 Apr 2021 22:28:05 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Remove.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Remove.json
index 28cae531184d..b4ada61753b3 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Remove.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Remove.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "79022c4d-1d8d-4c3e-b521-788ef6be7c23"
+ "37f0f340-5b14-457e-9d30-20f392645c73"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,20 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "08b08cbe-7caa-41a2-865f-c18e1de26c9f"
+ "5cd58c98-cb78-492b-ae0a-9850203b1a6a"
],
"x-ms-correlation-request-id": [
- "08b08cbe-7caa-41a2-865f-c18e1de26c9f"
+ "5cd58c98-cb78-492b-ae0a-9850203b1a6a"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211154Z:08b08cbe-7caa-41a2-865f-c18e1de26c9f"
+ "WESTUS2:20210413T222812Z:5cd58c98-cb78-492b-ae0a-9850203b1a6a"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -54,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:53 GMT"
+ "Tue, 13 Apr 2021 22:28:11 GMT"
],
"Content-Length": [
"1115"
@@ -66,7 +66,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a91c3054-ced5-4e5b-90ba-ef3d031a34e2\",\r\n \"name\": \"a91c3054-ced5-4e5b-90ba-ef3d031a34e2\",\r\n \"etag\": \"\\\"bd0062a3-0000-0100-0000-5fd28f190000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:53.9702619Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:53.9702619Z\",\r\n \"incidentNumber\": 94,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a91c3054-ced5-4e5b-90ba-ef3d031a34e2\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a91c3054-ced5-4e5b-90ba-ef3d031a34e2\",\r\n \"name\": \"a91c3054-ced5-4e5b-90ba-ef3d031a34e2\",\r\n \"etag\": \"\\\"e0009e92-0000-0100-0000-60761afc0000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2021-04-13T22:28:12.2408908Z\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:12.2408908Z\",\r\n \"incidentNumber\": 19,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/a91c3054-ced5-4e5b-90ba-ef3d031a34e2\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -76,16 +76,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "1c1c432c-9fe2-4365-a350-226a086a1cbb"
+ "f5607631-83eb-4676-a81e-cd673f268ba8"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -95,20 +95,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "6aae6056-4ef4-4e48-b0c7-4cae3cb7181f"
+ "be7ff53e-8bed-4cf1-8d07-6678167a8595"
],
"x-ms-correlation-request-id": [
- "6aae6056-4ef4-4e48-b0c7-4cae3cb7181f"
+ "be7ff53e-8bed-4cf1-8d07-6678167a8595"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211154Z:6aae6056-4ef4-4e48-b0c7-4cae3cb7181f"
+ "WESTUS2:20210413T222812Z:be7ff53e-8bed-4cf1-8d07-6678167a8595"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -117,7 +117,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:53 GMT"
+ "Tue, 13 Apr 2021 22:28:11 GMT"
],
"Content-Length": [
"2"
@@ -139,16 +139,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "65db61ff-d330-47f4-9892-1618b0380909"
+ "5da8837f-a3c6-4d14-8aad-145ed5035230"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -165,13 +165,13 @@
"14998"
],
"x-ms-request-id": [
- "1527eec9-5922-4915-ad31-5a50031a4e4e"
+ "6b6d73da-5c30-4846-a574-53c87a10a070"
],
"x-ms-correlation-request-id": [
- "1527eec9-5922-4915-ad31-5a50031a4e4e"
+ "6b6d73da-5c30-4846-a574-53c87a10a070"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211154Z:1527eec9-5922-4915-ad31-5a50031a4e4e"
+ "WESTUS2:20210413T222812Z:6b6d73da-5c30-4846-a574-53c87a10a070"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -180,7 +180,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:54 GMT"
+ "Tue, 13 Apr 2021 22:28:11 GMT"
],
"Expires": [
"-1"
diff --git a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Update.json b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Update.json
index c67f4c946547..0a7bde5e13fd 100644
--- a/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Update.json
+++ b/src/SecurityInsights/SecurityInsights.Test/SessionRecords/Microsoft.Azure.Commands.SecurityInsights.Test.ScenarioTests.IncidentsTests/Update.json
@@ -7,16 +7,16 @@
"RequestBody": "{\r\n \"properties\": {\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"title\": \"PoshModuleTest\"\r\n }\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "ab600141-7077-4b77-900a-13bb11133c3c"
+ "9df5076e-fbb1-4432-b0fb-c9fd2e45945a"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -32,20 +32,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1199"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1199"
+ ],
"x-ms-request-id": [
- "992ad7ec-2a5e-40a5-b9f8-b70f196f3707"
+ "1851b6e3-fb67-4e8d-b134-66ad8d0214e2"
],
"x-ms-correlation-request-id": [
- "992ad7ec-2a5e-40a5-b9f8-b70f196f3707"
+ "1851b6e3-fb67-4e8d-b134-66ad8d0214e2"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211149Z:992ad7ec-2a5e-40a5-b9f8-b70f196f3707"
+ "WESTUS2:20210413T222807Z:1851b6e3-fb67-4e8d-b134-66ad8d0214e2"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -54,7 +54,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:48 GMT"
+ "Tue, 13 Apr 2021 22:28:07 GMT"
],
"Content-Length": [
"1115"
@@ -66,26 +66,26 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"name\": \"4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"etag\": \"\\\"bd0055a3-0000-0100-0000-5fd28f150000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:49.0190894Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:49.0190894Z\",\r\n \"incidentNumber\": 91,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"name\": \"4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"etag\": \"\\\"e0009692-0000-0100-0000-60761af70000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2021-04-13T22:28:07.4844311Z\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:07.4844311Z\",\r\n \"incidentNumber\": 16,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\"\r\n }\r\n}",
"StatusCode": 200
},
{
"RequestUri": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715?api-version=2020-01-01",
"EncodedRequestUri": "L3N1YnNjcmlwdGlvbnMvMWM2MWNjYmYtNzBiMy00NWEzLWExZmItODQ4Y2U0NmQ3MGE2L3Jlc291cmNlR3JvdXBzL25kaWNvbGEtYXpzcG9zaC9wcm92aWRlcnMvTWljcm9zb2Z0Lk9wZXJhdGlvbmFsSW5zaWdodHMvd29ya3NwYWNlcy9henNwb3NoL3Byb3ZpZGVycy9NaWNyb3NvZnQuU2VjdXJpdHlJbnNpZ2h0cy9pbmNpZGVudHMvNGMzZjU2ZTAtYzQwYy00YzAzLWFmMDgtYTQwZjZiZTM2NzE1P2FwaS12ZXJzaW9uPTIwMjAtMDEtMDE=",
"RequestMethod": "PUT",
- "RequestBody": "{\r\n \"properties\": {\r\n \"classification\": \"FalsePositive\",\r\n \"classificationReason\": \"InaccurateData\",\r\n \"labels\": [],\r\n \"owner\": {},\r\n \"severity\": \"Low\",\r\n \"status\": \"Closed\",\r\n \"title\": \"PoshModuleTest\"\r\n },\r\n \"etag\": \"\\\"bd0055a3-0000-0100-0000-5fd28f150000\\\"\"\r\n}",
+ "RequestBody": "{\r\n \"properties\": {\r\n \"classification\": \"FalsePositive\",\r\n \"classificationReason\": \"InaccurateData\",\r\n \"labels\": [],\r\n \"owner\": {},\r\n \"severity\": \"Low\",\r\n \"status\": \"Closed\",\r\n \"title\": \"PoshModuleTest\"\r\n },\r\n \"etag\": \"\\\"e0009692-0000-0100-0000-60761af70000\\\"\"\r\n}",
"RequestHeaders": {
"x-ms-client-request-id": [
- "1b5c64b6-88a2-427d-8852-ee84544d9d2b"
+ "3f6f2024-bfee-4c60-8033-1be3e1ca0682"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
],
"Content-Type": [
"application/json; charset=utf-8"
@@ -101,20 +101,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-writes": [
- "1198"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-writes": [
+ "1198"
+ ],
"x-ms-request-id": [
- "6da29833-4bc2-4c24-a8bd-ed37e3b8345f"
+ "0e4d95f4-84cd-4f83-955e-1eeebd85ac52"
],
"x-ms-correlation-request-id": [
- "6da29833-4bc2-4c24-a8bd-ed37e3b8345f"
+ "0e4d95f4-84cd-4f83-955e-1eeebd85ac52"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211149Z:6da29833-4bc2-4c24-a8bd-ed37e3b8345f"
+ "WESTUS2:20210413T222807Z:0e4d95f4-84cd-4f83-955e-1eeebd85ac52"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -123,7 +123,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:49 GMT"
+ "Tue, 13 Apr 2021 22:28:07 GMT"
],
"Content-Length": [
"1191"
@@ -135,7 +135,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"name\": \"4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"etag\": \"\\\"bd0056a3-0000-0100-0000-5fd28f150000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"Closed\",\r\n \"classification\": \"FalsePositive\",\r\n \"classificationReason\": \"InaccurateData\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:49.4598307Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:49.0190894Z\",\r\n \"incidentNumber\": 91,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"name\": \"4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"etag\": \"\\\"e0009892-0000-0100-0000-60761af70000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"Closed\",\r\n \"classification\": \"FalsePositive\",\r\n \"classificationReason\": \"InaccurateData\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2021-04-13T22:28:07.8365926Z\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:07.4844311Z\",\r\n \"incidentNumber\": 16,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -145,16 +145,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "f010b048-02b1-4c5a-b945-ca6e65ac5632"
+ "3f6f2024-bfee-4c60-8033-1be3e1ca0682"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -164,20 +164,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-reads": [
- "11999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-reads": [
+ "11999"
+ ],
"x-ms-request-id": [
- "36203b91-ed47-4d60-9d6a-f460c998bad0"
+ "0003dc82-0c6b-4f7d-93f3-f8d5a9a47953"
],
"x-ms-correlation-request-id": [
- "36203b91-ed47-4d60-9d6a-f460c998bad0"
+ "0003dc82-0c6b-4f7d-93f3-f8d5a9a47953"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211149Z:36203b91-ed47-4d60-9d6a-f460c998bad0"
+ "WESTUS2:20210413T222807Z:0003dc82-0c6b-4f7d-93f3-f8d5a9a47953"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -186,7 +186,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:49 GMT"
+ "Tue, 13 Apr 2021 22:28:07 GMT"
],
"Content-Length": [
"1115"
@@ -198,7 +198,7 @@
"-1"
]
},
- "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"name\": \"4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"etag\": \"\\\"bd0055a3-0000-0100-0000-5fd28f150000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2020-12-10T21:11:49.0190894Z\",\r\n \"createdTimeUtc\": \"2020-12-10T21:11:49.0190894Z\",\r\n \"incidentNumber\": 91,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\"\r\n }\r\n}",
+ "ResponseBody": "{\r\n \"id\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"name\": \"4c3f56e0-c40c-4c03-af08-a40f6be36715\",\r\n \"etag\": \"\\\"e0009692-0000-0100-0000-60761af70000\\\"\",\r\n \"type\": \"Microsoft.SecurityInsights/Incidents\",\r\n \"properties\": {\r\n \"title\": \"PoshModuleTest\",\r\n \"severity\": \"Low\",\r\n \"status\": \"New\",\r\n \"owner\": {\r\n \"objectId\": null,\r\n \"email\": null,\r\n \"assignedTo\": null,\r\n \"userPrincipalName\": null\r\n },\r\n \"labels\": [],\r\n \"lastModifiedTimeUtc\": \"2021-04-13T22:28:07.4844311Z\",\r\n \"createdTimeUtc\": \"2021-04-13T22:28:07.4844311Z\",\r\n \"incidentNumber\": 16,\r\n \"additionalData\": {\r\n \"alertsCount\": 0,\r\n \"bookmarksCount\": 0,\r\n \"commentsCount\": 0,\r\n \"alertProductNames\": [],\r\n \"tactics\": []\r\n },\r\n \"relatedAnalyticRuleIds\": [],\r\n \"incidentUrl\": \"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/ndicola-azsposh/providers/Microsoft.OperationalInsights/workspaces/azsposh/providers/Microsoft.SecurityInsights/Incidents/4c3f56e0-c40c-4c03-af08-a40f6be36715\"\r\n }\r\n}",
"StatusCode": 200
},
{
@@ -208,16 +208,16 @@
"RequestBody": "",
"RequestHeaders": {
"x-ms-client-request-id": [
- "8d615fb6-cbf2-466d-94b3-f48dc9bbf7fb"
+ "264f8af6-b5c6-42e4-afb9-18fa03d9cb8b"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
- "FxVersion/4.6.29321.03",
+ "FxVersion/4.6.29812.02",
"OSName/Windows",
"OSVersion/Microsoft.Windows.10.0.19042.",
- "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0.0"
+ "Microsoft.Azure.Management.SecurityInsights.SecurityInsightsClient/1.0.0"
]
},
"ResponseHeaders": {
@@ -227,20 +227,20 @@
"Pragma": [
"no-cache"
],
- "x-ms-ratelimit-remaining-subscription-deletes": [
- "14999"
- ],
"Server": [
"Kestrel"
],
+ "x-ms-ratelimit-remaining-subscription-deletes": [
+ "14999"
+ ],
"x-ms-request-id": [
- "8ed6d260-c25c-42e3-9a34-46e3ccaef14f"
+ "fc90ef4d-4969-4e4c-90b3-84a6d173e199"
],
"x-ms-correlation-request-id": [
- "8ed6d260-c25c-42e3-9a34-46e3ccaef14f"
+ "fc90ef4d-4969-4e4c-90b3-84a6d173e199"
],
"x-ms-routing-request-id": [
- "WESTUS2:20201210T211149Z:8ed6d260-c25c-42e3-9a34-46e3ccaef14f"
+ "WESTUS2:20210413T222808Z:fc90ef4d-4969-4e4c-90b3-84a6d173e199"
],
"Strict-Transport-Security": [
"max-age=31536000; includeSubDomains"
@@ -249,7 +249,7 @@
"nosniff"
],
"Date": [
- "Thu, 10 Dec 2020 21:11:49 GMT"
+ "Tue, 13 Apr 2021 22:28:07 GMT"
],
"Content-Length": [
"2"
diff --git a/src/SecurityInsights/SecurityInsights/ChangeLog.md b/src/SecurityInsights/SecurityInsights/ChangeLog.md
index 0ed390ec20c9..40694247fb81 100644
--- a/src/SecurityInsights/SecurityInsights/ChangeLog.md
+++ b/src/SecurityInsights/SecurityInsights/ChangeLog.md
@@ -19,6 +19,9 @@
-->
## Upcoming Release
+* Added support for Teams in Office Connector
+* Bug Fixes
+* Updated Documentations
## Version 0.1.0
* Initial Release
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/GetAlertRuleActions.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/GetAlertRuleActions.cs
index 708e1c46bc1d..4d75059e47b0 100644
--- a/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/GetAlertRuleActions.cs
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/GetAlertRuleActions.cs
@@ -54,7 +54,7 @@ public override void ExecuteCmdlet()
WriteObject(actions.ConvertToPSType(), enumerateCollection: true);
break;
case ParameterSetNames.ActionId:
- var action = SecurityInsightsClient.AlertRules.GetAction(ResourceGroupName, WorkspaceName, AlertRuleId, ActionId);
+ var action = SecurityInsightsClient.Actions.Get(ResourceGroupName, WorkspaceName, AlertRuleId, ActionId);
WriteObject(action.ConvertToPSType(), enumerateCollection: false);
break;
default:
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/NewAlertRuleActions.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/NewAlertRuleActions.cs
index 2b520f5a5ea5..439d9e268a91 100644
--- a/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/NewAlertRuleActions.cs
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/NewAlertRuleActions.cs
@@ -67,7 +67,7 @@ public override void ExecuteCmdlet()
if (ShouldProcess(name, VerbsCommon.New))
{
- var outputaction = SecurityInsightsClient.AlertRules.CreateOrUpdateAction(ResourceGroupName, WorkspaceName, AlertRuleId, name, action);
+ var outputaction = SecurityInsightsClient.Actions.CreateOrUpdate(ResourceGroupName, WorkspaceName, AlertRuleId, name, action);
WriteObject(outputaction.ConvertToPSType(), enumerateCollection: false);
}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/RemoveAlertRuleActions.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/RemoveAlertRuleActions.cs
index 243de6bc6af3..7f2db249b4d1 100644
--- a/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/RemoveAlertRuleActions.cs
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/RemoveAlertRuleActions.cs
@@ -70,7 +70,7 @@ public override void ExecuteCmdlet()
if (ShouldProcess(name, VerbsCommon.Remove))
{
- var result = SecurityInsightsClient.AlertRules.DeleteActionWithHttpMessagesAsync(resourcegroup, workspacename, alertrule, name).Result;
+ var result = SecurityInsightsClient.Actions.DeleteWithHttpMessagesAsync(resourcegroup, workspacename, alertrule, name).Result;
if (result.Response.StatusCode == (System.Net.HttpStatusCode)200)
{
System.Console.WriteLine("success");
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/UpdateAlertRuleActions.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/UpdateAlertRuleActions.cs
index 4a28a0fe3dd6..cab97908e6c7 100644
--- a/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/UpdateAlertRuleActions.cs
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Actions/UpdateAlertRuleActions.cs
@@ -90,7 +90,7 @@ public override void ExecuteCmdlet()
PSSentinelActionResponse alertRuleAction = null;
try
{
- alertRuleAction = this.SecurityInsightsClient.AlertRules.GetAction(ResourceGroupName, WorkspaceName, AlertRuleId, ActionId).ConvertToPSType();
+ alertRuleAction = this.SecurityInsightsClient.Actions.Get(ResourceGroupName, WorkspaceName, AlertRuleId, ActionId).ConvertToPSType();
}
catch
{
@@ -110,7 +110,7 @@ public override void ExecuteCmdlet()
if (this.ShouldProcess(this.ActionId, string.Format("Updating Action '{0}' for Alert Rule '{1}' in resource group '{2}' under workspace '{3}'.", this.ActionId, this.AlertRuleId, this.ResourceGroupName, this.WorkspaceName)))
{
- var result = this.SecurityInsightsClient.AlertRules.CreateOrUpdateAction(this.ResourceGroupName, this.WorkspaceName, this.AlertRuleId, this.ActionId, updateAlertRuleAction.CreatePSType()).ConvertToPSType();
+ var result = this.SecurityInsightsClient.Actions.CreateOrUpdate(this.ResourceGroupName, this.WorkspaceName, this.AlertRuleId, this.ActionId, updateAlertRuleAction.CreatePSType()).ConvertToPSType();
WriteObject(result);
}
}
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/NewAlertRules.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/NewAlertRules.cs
index 720387f05284..735dbc649068 100644
--- a/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/NewAlertRules.cs
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/NewAlertRules.cs
@@ -130,6 +130,7 @@ public class NewAlertRules : SecurityInsightsCmdletBase
[ValidateNotNullOrEmpty]
public int? TriggerThreshold { get; set; }
+ //Add Input object Support
public override void ExecuteCmdlet()
{
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/UpdateAlertRules.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/UpdateAlertRules.cs
index 777cfa73b072..419b5c6e3ac6 100644
--- a/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/UpdateAlertRules.cs
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/AlertRules/UpdateAlertRules.cs
@@ -181,7 +181,7 @@ public override void ExecuteCmdlet()
var alertule = convertedFusionAlertRule;
};
- if(alertRule.Kind == "MicrosoftSecurityIncidentCreationRule")
+ if(alertRule.Kind == "MicrosoftSecurityIncidentCreation")
{
var convertedMicrosoftSecurityIncidentCreationAlertRule = alertRule as PSSentinelMicrosoftSecurityIncidentCreationRule;
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/NewDataConnectors.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/NewDataConnectors.cs
index 9e67706f3261..c5a942c9f2c0 100644
--- a/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/NewDataConnectors.cs
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/NewDataConnectors.cs
@@ -124,6 +124,11 @@ public class NewDataConnectors : SecurityInsightsCmdletBase
[ValidateSet("Enabled", "Disabled")]
public string SharePoint { get; set; }
+ [Parameter(ParameterSetName = ParameterSetNames.Office365, Mandatory = true, HelpMessage = ParameterHelpMessages.Teams)]
+ [ValidateNotNullOrEmpty]
+ [ValidateSet("Enabled", "Disabled")]
+ public string Teams { get; set; }
+
[Parameter(ParameterSetName = ParameterSetNames.ThreatIntelligence, Mandatory = true, HelpMessage = ParameterHelpMessages.Indicators)]
[ValidateNotNullOrEmpty]
[ValidateSet("Enabled", "Disabled")]
@@ -252,10 +257,13 @@ public override void ExecuteCmdlet()
{ State = Exchange.ToLower() };
OfficeDataConnectorDataTypesSharePoint officeSharePoint = new OfficeDataConnectorDataTypesSharePoint
{ State = SharePoint.ToLower() };
+ OfficeDataConnectorDataTypesTeams officeTeams = new OfficeDataConnectorDataTypesTeams
+ { State = Teams.ToLower() };
OfficeDataConnectorDataTypes officeDataTypes = new OfficeDataConnectorDataTypes
{
Exchange = officeExchange,
- SharePoint = officeSharePoint
+ SharePoint = officeSharePoint,
+ Teams = officeTeams
};
OfficeDataConnector officeConnector = new OfficeDataConnector
{
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/UpdateDataConnectors.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/UpdateDataConnectors.cs
index a024a3c5beee..a025b08c17af 100644
--- a/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/UpdateDataConnectors.cs
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/DataConnectors/UpdateDataConnectors.cs
@@ -83,6 +83,11 @@ public class UpdateDataConnectors : SecurityInsightsCmdletBase
[ValidateSet("Enabled", "Disabled")]
public string SharePoint { get; set; }
+ [Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Teams)]
+ [ValidateNotNullOrEmpty]
+ [ValidateSet("Enabled", "Disabled")]
+ public string Teams { get; set; }
+
[Parameter(Mandatory = false, HelpMessage = ParameterHelpMessages.Indicators)]
[ValidateNotNullOrEmpty]
[ValidateSet("Enabled", "Disabled")]
@@ -190,6 +195,7 @@ public override void ExecuteCmdlet()
convertedO365DataConnector.TenantId = convertedO365DataConnector.TenantId;
convertedO365DataConnector.DataTypes.Exchange.State = this.IsParameterBound(c => c.Exchange) ? this.Exchange : convertedO365DataConnector.DataTypes.Exchange.State;
convertedO365DataConnector.DataTypes.SharePoint.State = this.IsParameterBound(c => c.SharePoint) ? this.SharePoint : convertedO365DataConnector.DataTypes.SharePoint.State;
+ convertedO365DataConnector.DataTypes.Teams.State = this.IsParameterBound(c => c.Teams) ? this.Teams : convertedO365DataConnector.DataTypes.Teams.State;
dataConnector = convertedO365DataConnector;
};
diff --git a/src/SecurityInsights/SecurityInsights/Common/ParameterHelpMessages.cs b/src/SecurityInsights/SecurityInsights/Common/ParameterHelpMessages.cs
index 14c01ed23179..246f555e097d 100644
--- a/src/SecurityInsights/SecurityInsights/Common/ParameterHelpMessages.cs
+++ b/src/SecurityInsights/SecurityInsights/Common/ParameterHelpMessages.cs
@@ -92,6 +92,7 @@ public static class ParameterHelpMessages
public const string DiscoveryLogs = "Data Connector Discovery Logs";
public const string Exchange = "Data Connector Exchange";
public const string SharePoint = "Data Connector SharePoint";
+ public const string Teams = "Data Connector Teams";
public const string Indicators = "Data Connector Indicators";
public const string SubscriptionId = "Data connector Subscription Id";
#endregion
diff --git a/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelAlertRuleTemplatesConvertors.cs b/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelAlertRuleTemplatesConvertors.cs
index b8ea98739bd9..653954619be8 100644
--- a/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelAlertRuleTemplatesConvertors.cs
+++ b/src/SecurityInsights/SecurityInsights/Models/AlertRuleTemplates/PSSentinelAlertRuleTemplatesConvertors.cs
@@ -89,7 +89,7 @@ public static PSSentinelMicrosoftSecurityIncidentCreationRuleTemplate ConvertToP
Status = value.Status,
CreatedDateUtc = value.CreatedDateUTC,
ProductFilter = value.ProductFilter,
- RequiredDataConnectors = value.RequiredDataConnectors.ConvertToPSType()
+ RequiredDataConnectors = value.RequiredDataConnectors?.ConvertToPSType()
};
}
@@ -113,7 +113,7 @@ public static PSSentinelScheduledAlertRuleTemplate ConvertToPSType(this Schedule
Tactics = value.Tactics,
TriggerOperator = value.TriggerOperator,
TriggerThreshold = value.TriggerThreshold,
- RequiredDataConnectors = value.RequiredDataConnectors.ConvertToPSType()
+ RequiredDataConnectors = value.RequiredDataConnectors?.ConvertToPSType()
};
}
diff --git a/src/SecurityInsights/SecurityInsights/Models/Bookmarks/PSSentinelBookmarksConvertors.cs b/src/SecurityInsights/SecurityInsights/Models/Bookmarks/PSSentinelBookmarksConvertors.cs
index 006f70b30cba..755597d1ba38 100644
--- a/src/SecurityInsights/SecurityInsights/Models/Bookmarks/PSSentinelBookmarksConvertors.cs
+++ b/src/SecurityInsights/SecurityInsights/Models/Bookmarks/PSSentinelBookmarksConvertors.cs
@@ -31,15 +31,15 @@ public static PSSentinelBookmark ConvertToPSType(this Bookmark value)
Type = value.Type,
Etag = value.Etag,
Created = value.Created,
- CreatedBy = value.CreatedBy.ConvertToPSType(),
+ CreatedBy = value.CreatedBy?.ConvertToPSType(),
DisplayName = value.DisplayName,
- IncidentInfo = value.IncidentInfo.ConvertToPSType(),
+ IncidentInfo = value.IncidentInfo?.ConvertToPSType(),
Labels = value.Labels,
Notes = value.Notes,
Query = value.Query,
QueryResult = value.QueryResult,
Updated = value.Updated,
- UpdatedBy = value.UpdatedBy.ConvertToPSType()
+ UpdatedBy = value.UpdatedBy?.ConvertToPSType()
};
}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorConvertors.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorConvertors.cs
index ef3e9635f850..9b07ceaa6fe2 100644
--- a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorConvertors.cs
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorConvertors.cs
@@ -101,7 +101,7 @@ public static PSSentinelDataConnectorAAD ConvertToPSType(this AADDataConnector v
Type = value.Type,
Etag = value.Etag,
Kind = "AzureActiveDirectory",
- DataTypes = value.DataTypes.ConvertToPSType(),
+ DataTypes = value.DataTypes?.ConvertToPSType(),
TenantId = value.TenantId
};
}
@@ -115,7 +115,7 @@ public static PSSentinelDataConnectorAATP ConvertToPSType(this AATPDataConnector
Type = value.Type,
Etag = value.Etag,
Kind = "AzureAdvancedThreatProtection",
- DataTypes = value.DataTypes.ConvertToPSType(),
+ DataTypes = value.DataTypes?.ConvertToPSType(),
TenantId = value.TenantId
};
}
@@ -129,7 +129,7 @@ public static PSSentinelDataConnectorASC ConvertToPSType(this ASCDataConnector v
Type = value.Type,
Etag = value.Etag,
Kind = "AzureSecurityCenter",
- DataTypes = value.DataTypes.ConvertToPSType(),
+ DataTypes = value.DataTypes?.ConvertToPSType(),
SubscriptionId = value.SubscriptionId
};
}
@@ -143,7 +143,7 @@ public static PSSentinelDataConnectorAWS ConvertToPSType(this AwsCloudTrailDataC
Type = value.Type,
Etag = value.Etag,
Kind = "AmazonWebServicesCloudTrail",
- DataTypes = value.DataTypes.ConvertToPSType(),
+ DataTypes = value.DataTypes?.ConvertToPSType(),
AwsRoleArn = value.AwsRoleArn
};
}
@@ -157,7 +157,7 @@ public static PSSentinelDataConnectorMCAS ConvertToPSType(this MCASDataConnector
Type = value.Type,
Etag = value.Etag,
Kind = "MicrosoftCloudAppSecurity",
- DataTypes = value.DataTypes.ConvertToPSType(),
+ DataTypes = value.DataTypes?.ConvertToPSType(),
TenantId = value.TenantId
};
}
@@ -171,7 +171,7 @@ public static PSSentinelDataConnectorMDATP ConvertToPSType(this MDATPDataConnect
Type = value.Type,
Etag = value.Etag,
Kind = "MicrosoftDefenderAdvancedThreatProtection",
- DataTypes = value.DataTypes.ConvertToPSType(),
+ DataTypes = value.DataTypes?.ConvertToPSType(),
TenantId = value.TenantId
};
}
@@ -185,7 +185,7 @@ public static PSSentinelDataConnectorOffice ConvertToPSType(this OfficeDataConne
Type = value.Type,
Etag = value.Etag,
Kind = "Office365",
- DataTypes = value.DataTypes.ConvertToPSType(),
+ DataTypes = value.DataTypes?.ConvertToPSType(),
TenantId = value.TenantId
};
}
@@ -199,7 +199,7 @@ public static PSSentinelDataConnectorTI ConvertToPSType(this TIDataConnector val
Type = value.Type,
Etag = value.Etag,
Kind = "ThreatIntelligence",
- DataTypes = value.DataTypes.ConvertToPSType(),
+ DataTypes = value.DataTypes?.ConvertToPSType(),
TenantId = value.TenantId
};
}
@@ -208,7 +208,7 @@ public static PSSentinelDataConnectorDataTypeAlert ConvertToPSType(this AlertsDa
{
return new PSSentinelDataConnectorDataTypeAlert()
{
- Alerts = value.Alerts.ConvertToPSType()
+ Alerts = value.Alerts?.ConvertToPSType()
};
}
@@ -216,7 +216,7 @@ public static PSSentinelDataConnectorDataTypeCloudTrail ConvertToPSType(this Aws
{
return new PSSentinelDataConnectorDataTypeCloudTrail()
{
- Logs = value.Logs.ConvertToPSType()
+ Logs = value.Logs?.ConvertToPSType()
};
}
@@ -224,8 +224,8 @@ public static PSSentinelDataConnectorDataTypeMCAS ConvertToPSType(this MCASDataC
{
return new PSSentinelDataConnectorDataTypeMCAS()
{
- Alerts = value.Alerts.ConvertToPSType(),
- DiscoveryLogs = value.DiscoveryLogs.ConvertToPSType()
+ Alerts = value.Alerts?.ConvertToPSType(),
+ DiscoveryLogs = value.DiscoveryLogs?.ConvertToPSType()
};
}
@@ -234,8 +234,9 @@ public static PSSentinelDataConnectorDataTypeOffice ConvertToPSType(this OfficeD
{
return new PSSentinelDataConnectorDataTypeOffice()
{
- Exchange = value.Exchange.ConvertToPSType(),
- SharePoint = value.SharePoint.ConvertToPSType()
+ Exchange = value.Exchange?.ConvertToPSType(),
+ SharePoint = value.SharePoint?.ConvertToPSType(),
+ Teams = value.Teams?.ConvertToPSType()
};
}
@@ -244,7 +245,7 @@ public static PSSentinelDataConnectorDataTypeTI ConvertToPSType(this TIDataConne
{
return new PSSentinelDataConnectorDataTypeTI()
{
- Indicators = value.Indicators.ConvertToPSType()
+ Indicators = value?.Indicators.ConvertToPSType()
};
}
@@ -278,6 +279,14 @@ public static PSSentinelDataConnectorDataTypeOfficeSharePoint ConvertToPSType(th
};
}
+ public static PSSentinelDataConnectorDataTypeOfficeTeams ConvertToPSType(this OfficeDataConnectorDataTypesTeams value)
+ {
+ return new PSSentinelDataConnectorDataTypeOfficeTeams()
+ {
+ State = value.State
+ };
+ }
+
public static PSSentinelDataConnectorDataTypeTIIndicator ConvertToPSType(this TIDataConnectorDataTypesIndicators value)
{
return new PSSentinelDataConnectorDataTypeTIIndicator()
@@ -360,7 +369,7 @@ public static AADDataConnector CreatePSType(this PSSentinelDataConnectorAAD valu
return new AADDataConnector()
{
Etag= value.Etag,
- DataTypes = value.DataTypes.CreatePSType(),
+ DataTypes = value.DataTypes?.CreatePSType(),
TenantId = value.TenantId
};
}
@@ -370,7 +379,7 @@ public static AATPDataConnector CreatePSType(this PSSentinelDataConnectorAATP va
return new AATPDataConnector()
{
Etag = value.Etag,
- DataTypes = value.DataTypes.CreatePSType(),
+ DataTypes = value.DataTypes?.CreatePSType(),
TenantId = value.TenantId
};
}
@@ -380,7 +389,7 @@ public static ASCDataConnector CreatePSType(this PSSentinelDataConnectorASC valu
return new ASCDataConnector()
{
Etag = value.Etag,
- DataTypes = value.DataTypes.CreatePSType(),
+ DataTypes = value.DataTypes?.CreatePSType(),
SubscriptionId = value.SubscriptionId
};
}
@@ -390,7 +399,7 @@ public static AwsCloudTrailDataConnector CreatePSType(this PSSentinelDataConnect
return new AwsCloudTrailDataConnector()
{
Etag = value.Etag,
- DataTypes = value.DataTypes.CreatePSType(),
+ DataTypes = value.DataTypes?.CreatePSType(),
AwsRoleArn = value.AwsRoleArn
};
}
@@ -400,7 +409,7 @@ public static MCASDataConnector CreatePSType(this PSSentinelDataConnectorMCAS va
return new MCASDataConnector()
{
Etag = value.Etag,
- DataTypes = value.DataTypes.CreatePSType(),
+ DataTypes = value.DataTypes?.CreatePSType(),
TenantId = value.TenantId
};
}
@@ -410,7 +419,7 @@ public static MDATPDataConnector CreatePSType(this PSSentinelDataConnectorMDATP
return new MDATPDataConnector()
{
Etag = value.Etag,
- DataTypes = value.DataTypes.CreatePSType(),
+ DataTypes = value.DataTypes?.CreatePSType(),
TenantId = value.TenantId
};
}
@@ -420,7 +429,7 @@ public static OfficeDataConnector CreatePSType(this PSSentinelDataConnectorOffic
return new OfficeDataConnector()
{
Etag = value.Etag,
- DataTypes = value.DataTypes.CreatePSType(),
+ DataTypes = value.DataTypes?.CreatePSType(),
TenantId = value.TenantId
};
}
@@ -430,7 +439,7 @@ public static TIDataConnector CreatePSType(this PSSentinelDataConnectorTI value)
return new TIDataConnector()
{
Etag = value.Etag,
- DataTypes = value.DataTypes.CreatePSType(),
+ DataTypes = value.DataTypes?.CreatePSType(),
TenantId = value.TenantId
};
}
@@ -439,7 +448,7 @@ public static AlertsDataTypeOfDataConnector CreatePSType(this PSSentinelDataConn
{
return new AlertsDataTypeOfDataConnector()
{
- Alerts = value.Alerts.CreatePSType()
+ Alerts = value.Alerts?.CreatePSType()
};
}
@@ -447,7 +456,7 @@ public static AwsCloudTrailDataConnectorDataTypes CreatePSType(this PSSentinelDa
{
return new AwsCloudTrailDataConnectorDataTypes()
{
- Logs = value.Logs.CreatePSType()
+ Logs = value.Logs?.CreatePSType()
};
}
@@ -455,8 +464,8 @@ public static MCASDataConnectorDataTypes CreatePSType(this PSSentinelDataConnect
{
return new MCASDataConnectorDataTypes()
{
- Alerts = value.Alerts.CreatePSType(),
- DiscoveryLogs = value.DiscoveryLogs.CreatePSType()
+ Alerts = value.Alerts?.CreatePSType(),
+ DiscoveryLogs = value.DiscoveryLogs?.CreatePSType()
};
}
@@ -475,7 +484,7 @@ public static TIDataConnectorDataTypes CreatePSType(this PSSentinelDataConnector
{
return new TIDataConnectorDataTypes()
{
- Indicators = value.Indicators.CreatePSType()
+ Indicators = value.Indicators?.CreatePSType()
};
}
@@ -508,6 +517,13 @@ public static OfficeDataConnectorDataTypesSharePoint CreatePSType(this PSSentine
State = value.State
};
}
+ public static OfficeDataConnectorDataTypesTeams CreatePSType(this PSSentinelDataConnectorDataTypeOfficeTeams value)
+ {
+ return new OfficeDataConnectorDataTypesTeams()
+ {
+ State = value.State
+ };
+ }
public static TIDataConnectorDataTypesIndicators CreatePSType(this PSSentinelDataConnectorDataTypeTIIndicator value)
{
return new TIDataConnectorDataTypesIndicators()
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeOffice.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeOffice.cs
index 94d0e04e6289..217cc6b3fa60 100644
--- a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeOffice.cs
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeOffice.cs
@@ -24,5 +24,7 @@ public class PSSentinelDataConnectorDataTypeOffice
public PSSentinelDataConnectorDataTypeOfficeSharePoint SharePoint { get; set; }
+ public PSSentinelDataConnectorDataTypeOfficeTeams Teams { get; set; }
+
}
}
diff --git a/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeOfficeTeams.cs b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeOfficeTeams.cs
new file mode 100644
index 000000000000..54e972c753ec
--- /dev/null
+++ b/src/SecurityInsights/SecurityInsights/Models/DataConnectors/PSSentinelDataConnectorsDataTypeOfficeTeams.cs
@@ -0,0 +1,25 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using Microsoft.Azure.Management.SecurityInsights.Models;
+
+namespace Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors
+{
+ public class PSSentinelDataConnectorDataTypeOfficeTeams {
+ public string State { get; set; }
+
+ }
+}
diff --git a/src/SecurityInsights/SecurityInsights/Models/IncidentComments/PSSentinelIncidentCommentConvertors.cs b/src/SecurityInsights/SecurityInsights/Models/IncidentComments/PSSentinelIncidentCommentConvertors.cs
index e89b5bb3f820..9b24214fd63e 100644
--- a/src/SecurityInsights/SecurityInsights/Models/IncidentComments/PSSentinelIncidentCommentConvertors.cs
+++ b/src/SecurityInsights/SecurityInsights/Models/IncidentComments/PSSentinelIncidentCommentConvertors.cs
@@ -29,7 +29,7 @@ public static PSSentinelIncidentComment ConvertToPSType(this IncidentComment val
Id = value.Id,
Name = value.Name,
Type = value.Type,
- Author = value.Author.ConvertToPSType(),
+ Author = value.Author?.ConvertToPSType(),
CreatedTimeUtc = value.CreatedTimeUtc,
Message = value.Message
};
diff --git a/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncidentConvertors.cs b/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncidentConvertors.cs
index c46dba726d23..7c6fe224b4df 100644
--- a/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncidentConvertors.cs
+++ b/src/SecurityInsights/SecurityInsights/Models/Incidents/PSSentinelIncidentConvertors.cs
@@ -30,7 +30,7 @@ public static PSSentinelIncident ConvertToPSType(this Incident value)
Name = value.Name,
Type = value.Type,
Etag = value.Etag,
- AdditonalData = value.AdditionalData.ConvertToPSType(),
+ AdditonalData = value.AdditionalData?.ConvertToPSType(),
Classification = value.Classification,
ClassificationComment = value.ClassificationComment,
ClassificationReason = value.ClassificationReason,
@@ -39,10 +39,10 @@ public static PSSentinelIncident ConvertToPSType(this Incident value)
FirstActivityTimeUtc = value.FirstActivityTimeUtc,
IncidentNumber = value.IncidentNumber,
IncidentUrl = value.IncidentUrl,
- Labels = value.Labels.ConvertToPSType(),
+ Labels = value.Labels?.ConvertToPSType(),
LastActivityTimeUtc = value.LastActivityTimeUtc,
LastModifiedTimeUtc = value.LastModifiedTimeUtc,
- Owner = value.Owner.ConvertToPSType(),
+ Owner = value.Owner?.ConvertToPSType(),
Severity = value.Severity,
Status = value.Status,
Title = value.Title
@@ -141,9 +141,9 @@ public static Incident CreatePSType(this PSSentinelIncident value)
ClassificationReason = value.ClassificationReason,
Description = value.Description,
FirstActivityTimeUtc = value.FirstActivityTimeUtc,
- Labels = value.Labels.CreatePSType(),
+ Labels = value.Labels?.CreatePSType(),
LastActivityTimeUtc = value.LastActivityTimeUtc,
- Owner = value.Owner.CreatePSType(),
+ Owner = value.Owner?.CreatePSType(),
Severity = value.Severity,
Status = value.Status,
Title = value.Title
diff --git a/src/SecurityInsights/SecurityInsights/SecurityInsights.csproj b/src/SecurityInsights/SecurityInsights/SecurityInsights.csproj
index d80faa055de9..03254f0846f3 100644
--- a/src/SecurityInsights/SecurityInsights/SecurityInsights.csproj
+++ b/src/SecurityInsights/SecurityInsights/SecurityInsights.csproj
@@ -7,7 +7,7 @@
-
+
diff --git a/src/SecurityInsights/SecurityInsights/help/Az.SecurityInsights.md b/src/SecurityInsights/SecurityInsights/help/Az.SecurityInsights.md
index 6f2b87d1b46b..e046a8fb8467 100644
--- a/src/SecurityInsights/SecurityInsights/help/Az.SecurityInsights.md
+++ b/src/SecurityInsights/SecurityInsights/help/Az.SecurityInsights.md
@@ -8,77 +8,101 @@ Locale: en-US
# Az.SecurityInsights Module
## Description
-Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
+Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
+The Azure Sentinel PowerShell module (Az.SecurityInsights) allows you to interact with the following components: * Incidents
+* Analytics Rules (Alert Rules)
+* Analytics Rules Templates
+* Analytics Rules Actions (like attaching an Azure Logic Apps Playbooks to your rule)
+* Bookmarks
+* Data Connectors
+* Comments
+
+All cmdlets are able to work with a connection object to provide your resourceGroupName and workspaceName like in the following example:
## Az.SecurityInsights Cmdlets
### [Get-AzSentinelAlertRule](Get-AzSentinelAlertRule.md)
-Gets an Analytic (Alert Rule).
+Gets a specific or all Analytic Rules (Alert Rule).
### [Get-AzSentinelAlertRuleAction](Get-AzSentinelAlertRuleAction.md)
-Get an Automated Response (Alert Rule Action).
+Gets an Automated Response (Alert Rule Action) for an Analytics Rule, like an Azure Logic Apps Playbook.
+Azure Sentinel Automation Rules will be supported in the future.
+
+*Note: This requires a parameter value of "AlertRuleId"*
### [Get-AzSentinelAlertRuleTemplate](Get-AzSentinelAlertRuleTemplate.md)
-Get Analytic Rule Template.
+Gets an Analytic Rule Template.
### [Get-AzSentinelBookmark](Get-AzSentinelBookmark.md)
-Get a Bookmark.
+Gets a Bookmark.
+A Bookmark is used to preserve queries, comments and tags for a specific incident.
+You create the Bookmark first and then add it to an incident.
### [Get-AzSentinelDataConnector](Get-AzSentinelDataConnector.md)
-Get a Data Connector.
+Gets a Data Connector.
+Please note that automation support is only available for the following data connectors:
+* AADDataConnector
+* AATPDataConnector
+* ASCDataConnector
+* AwsCloudTrailDataConnector
+* MCASDataConnector
+* MDATPDataConnector
+* OfficeDataConnector
+* TIDataConnector
### [Get-AzSentinelIncident](Get-AzSentinelIncident.md)
-Get an Incident.
+Get one or more Azure Sentinel Incidents.
### [Get-AzSentinelIncidentComment](Get-AzSentinelIncidentComment.md)
-Get an Incident Comment.
+Gets an Incident Comment.
### [New-AzSentinelAlertRule](New-AzSentinelAlertRule.md)
-Create an Analytic (Alert Rule).
+Create an Analytics Rule (Alert Rule).
### [New-AzSentinelAlertRuleAction](New-AzSentinelAlertRuleAction.md)
-Add an Automated Response to an Analatic.
+Add an Automated Response to an Analytic Rule.
### [New-AzSentinelBookmark](New-AzSentinelBookmark.md)
-Create a Bookmark.
+Creates a Bookmark for a specific incident.
### [New-AzSentinelDataConnector](New-AzSentinelDataConnector.md)
-Create a Data Connector.
+Creates a Data Connector.
### [New-AzSentinelIncident](New-AzSentinelIncident.md)
-Create an Incident.
+Creates an Incident.
### [New-AzSentinelIncidentComment](New-AzSentinelIncidentComment.md)
-Add an Incident Comment to an Incident.
+Adds a Comment to an Incident.
### [New-AzSentinelIncidentOwner](New-AzSentinelIncidentOwner.md)
Create Incident Owner object to update an incident owner.
### [Remove-AzSentinelAlertRule](Remove-AzSentinelAlertRule.md)
-Delete an Analytic.
+Deletes an Analytics Rule (AlertRule)
### [Remove-AzSentinelAlertRuleAction](Remove-AzSentinelAlertRuleAction.md)
-Remove an Automated Response from an Analytic.
+Removes an Automated Response from an Analytic Rule.
### [Remove-AzSentinelBookmark](Remove-AzSentinelBookmark.md)
-Delete a Bookmark.
+Deletes a Bookmark.
### [Remove-AzSentinelDataConnector](Remove-AzSentinelDataConnector.md)
-Remove a Data Connector.
+Removes a Data Connector.
### [Remove-AzSentinelIncident](Remove-AzSentinelIncident.md)
-Delete an Incident.
+Deletes an Incident.
### [Update-AzSentinelAlertRule](Update-AzSentinelAlertRule.md)
-Updata an Analtyic.
+Updates an Analytic Rule (Alert Rule).
### [Update-AzSentinelAlertRuleAction](Update-AzSentinelAlertRuleAction.md)
-Update an Automated Response (Alert Rule Action).
+Updates an Automated Response (Alert Rule Action).
### [Update-AzSentinelBookmark](Update-AzSentinelBookmark.md)
-Updata a Bookmark.
+Updates a Bookmark.
### [Update-AzSentinelDataConnector](Update-AzSentinelDataConnector.md)
-Updata a Data Connector.
+Updates a Data Connector.
### [Update-AzSentinelIncident](Update-AzSentinelIncident.md)
-Updata an Incident.
+Updates an Incident
+
diff --git a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRule.md b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRule.md
index d7bf4730e4cf..8e8d1db2e56c 100644
--- a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRule.md
+++ b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRule.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# Get-AzSentinelAlertRule
## SYNOPSIS
-Gets an Analytic (Alert Rule).
+Gets a specific or all Analytic Rules (Alert Rule).
## SYNTAX
@@ -30,26 +30,36 @@ Get-AzSentinelAlertRule -ResourceId [-DefaultProfile
+
+*Note: An AlertRuleId is in the following format: c464bcd7-daee-47ff-ac58-1fbb73cf1d6b and can be found in the Azure Sentinel Analytics view under the rule details pane on your right in the field "Id"*
## EXAMPLES
### Example 1
```powershell
-PS C:\> $AlertRules = Get-AzSentinelAlertRule -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName"
+PS C:\> $AlertRules = Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName"
```
-This example gets all of the **AlertRules** in the specified workspace, and then stores it in the $AlertRules variable.
+This example gets all the AlertRules in the specified workspace, and then stores it in the $AlertRules variable.
### Example 2
```powershell
-PS C:\> $AlertRule = Get-AzSentinelAlertRule -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleId "MyAlertRuleId"
+PS C:\> $AlertRule = Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -AlertRuleId "myAlertRuleId"
+```
+
+This example gets an AlertRule in the specified workspace, and then stores it in the $AlertRule variable.
+*Please note that **AlertRuleId** is in this format: 168d330b-219b-4191-a5b1-742c211adb05*
+
+### Example 3
+```powershell
+Get-AzSentinelAlertRule -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName | Where-Object {$_.DisplayName -like "*Azure Security Center*"}
```
-This example gets an **AlertRule** in the specified workspace, and then stores it in the $AlertRule variable.
+This example gets an AlertRule with a displayname which contains "Azure Security Center"
## PARAMETERS
diff --git a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRuleAction.md b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRuleAction.md
index 0075d81bcd50..b9a86544639b 100644
--- a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRuleAction.md
+++ b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRuleAction.md
@@ -8,7 +8,10 @@ schema: 2.0.0
# Get-AzSentinelAlertRuleAction
## SYNOPSIS
-Get an Automated Response (Alert Rule Action).
+Gets an Automated Response (Alert Rule Action) for an Analytics Rule, like an Azure Logic Apps Playbook.
+Azure Sentinel Automation Rules will be supported in the future.
+
+*Note: This requires a parameter value of "AlertRuleId"*
## SYNTAX
@@ -26,7 +29,7 @@ Get-AzSentinelAlertRuleAction -ResourceGroupName -WorkspaceName
If you do not specify the *ActionId* parameter, an array containing all of the Actions for the specificed Alert Rule in the specified workspace are returned.
You can use the **Action** object to update the Action, for example you can change the the **Action** for an Alert Rule.
@@ -34,10 +37,12 @@ You can use the **Action** object to update the Action, for example you can chan
### Example 1
```powershell
-PS C:\> $AlertRuleActions = Get-AzSentinelAlertRuleAction -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleId "MyAlertRuleId"
+PS C:\> $AlertRuleActions = Get-AzSentinelAlertRuleAction -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleId "29d2523f-84ce-42d3-b5f1-9e63c85aaed1"
```
-This example gets all of the **Actions** for the specified Alert Rule in the specified workspace, and then stores it in the $AlertRuleActions variable.
+This example gets all of the **Actions** for the specified Alert Rule in the specified workspace, and then stores it in the $AlertRuleActions variable.
+
+*Note: the field **LogicAppResourceID** contains the full Azure Resource Manager (ARM) ID, which contains the name of the Azure Logic Apps Playbook.*
### Example 2
```powershell
diff --git a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRuleTemplate.md b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRuleTemplate.md
index a4109cf01824..0f4157e09251 100644
--- a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRuleTemplate.md
+++ b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelAlertRuleTemplate.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# Get-AzSentinelAlertRuleTemplate
## SYNOPSIS
-Get Analytic Rule Template.
+Gets an Analytic Rule Template.
## SYNTAX
@@ -50,7 +50,14 @@ This example gets all of the **AlertRuleTemplates** in the specified workspace,
PS C:\> $AlertRuleTemplate = Get-AzSentinelAlertRuleTemplate -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleTemplateId "MyAlertRuleTemplateId"
```
-This example gets an **AlertRuleTemplate** in the specified workspace, and then stores it in the $AlertRuleTemplate variable.
+This example gets a specific **AlertRuleTemplate** in the specified workspace, and then stores it in the $AlertRuleTemplate variable.
+
+### Example 3
+```powershell
+Get-AzSentinelAlertRuleTemplate @SentinelConnection | Where-Object {$_.Kind -eq "Azure Active Directory"}
+```
+
+This example (using a connection object) gets AlertRuleTemplates of the kind "Azure Active Directory"
## PARAMETERS
diff --git a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelBookmark.md b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelBookmark.md
index 95866aacd920..cd93cb41ba93 100644
--- a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelBookmark.md
+++ b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelBookmark.md
@@ -8,7 +8,9 @@ schema: 2.0.0
# Get-AzSentinelBookmark
## SYNOPSIS
-Get a Bookmark.
+Gets a Bookmark.
+A Bookmark is used to preserve queries, comments and tags for a specific incident.
+You create the Bookmark first and then add it to an incident.
## SYNTAX
@@ -31,9 +33,9 @@ Get-AzSentinelBookmark -ResourceId [-DefaultProfile $Bookmarks = Get-AzSentinelBookmark -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName"
```
-This example gets all of the **Bookmarks** in the specified workspace, and then stores it in the $Bookmarks variable.
+This example gets all of the Bookmarks in the specified workspace, and then stores it in the $Bookmarks variable.
### Example 2
```powershell
PS C:\> $Bookmark = Get-AzSentinelBookmark -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -BookmarkId "MyBookmarkId"
```
-This example gets an **Bookmark** in the specified workspace, and then stores it in the $Bookmark variable.
+This example gets an Bookmark in the specified workspace, and then stores it in the $Bookmark variable.
## PARAMETERS
diff --git a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelDataConnector.md b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelDataConnector.md
index 1aa83f73a84a..f08767e2b585 100644
--- a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelDataConnector.md
+++ b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelDataConnector.md
@@ -8,7 +8,16 @@ schema: 2.0.0
# Get-AzSentinelDataConnector
## SYNOPSIS
-Get a Data Connector.
+Gets a Data Connector.
+Please note that automation support is only available for the following data connectors:
+* AADDataConnector
+* AATPDataConnector
+* ASCDataConnector
+* AwsCloudTrailDataConnector
+* MCASDataConnector
+* MDATPDataConnector
+* OfficeDataConnector
+* TIDataConnector
## SYNTAX
@@ -43,14 +52,21 @@ You can use the **DataConnector** object to update the Data Connector, for examp
PS C:\> $DataConnectors = Get-AzSentinelDataConnector -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName"
```
-This example gets all of the **DataConnectors** in the specified workspace, and then stores it in the $DataConnectors variable.
+This example gets all of the DataConnectors in the specified workspace, and then stores it in the $DataConnectors variable.
### Example 2
```powershell
PS C:\> $DataConnector = Get-AzSentinelDataConnector -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -DataConnectorId "MyDataConnectorId"
```
-This example gets an **DataConnector** in the specified workspace, and then stores it in the $DataConnector variable.
+This example gets an DataConnector in the specified workspace, and then stores it in the $DataConnector variable.
+
+### Example 3
+```powershell
+Get-AzSentinelDataConnector @SentinelConnection | Where-Object {$_.Kind -eq "Office365"}
+```
+
+This example (using a connection object) gets the Office365 data connector.
## PARAMETERS
diff --git a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncident.md b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncident.md
index d82bb547102d..cecd03bcaeba 100644
--- a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncident.md
+++ b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncident.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# Get-AzSentinelIncident
## SYNOPSIS
-Get an Incident.
+Get one or more Azure Sentinel Incidents.
## SYNTAX
@@ -30,26 +30,51 @@ Get-AzSentinelIncident -ResourceId [-DefaultProfile $Incidents = Get-AzSentinelIncident -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName"
+$SentinelConnection = @{
+ ResourceGroupName = "myResourceGroupName"
+ WorkspaceName = "myWorkspaceName"
+}
+Get-AzSentinelIncident @SentinelConnection
```
-This example gets all of the **Incidents** in the specified workspace, and then stores it in the $Incidents variable.
+This example gets all the the Incidents using a connection object
### Example 2
```powershell
-PS C:\> $Incident = Get-AzSentinelIncident -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -IncidentId "MyIncidentId"
+PS C:\> $Incidents = Get-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName"
+```
+
+This example gets all of the Incidents in the specified workspace, and then stores it in the $Incidents variable.
+
+### Example 3
+```powershell
+PS C:\> $Incident = Get-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId"
+```
+
+This example gets a specific Incident in the specified workspace, and then stores it in the $Incident variable.
+*Please note that IncidentId is in this format: 168d330b-219b-4191-a5b1-742c211adb05*
+
+### Example 4
+```powershell
+Get-AzSentinelIncident @SentinelConnection | Where-Object {$_.Title -eq "Failed AzureAD logons but success logon to host"}
```
-This example gets an **Incident** in the specified workspace, and then stores it in the $Incident variable.
+This example uses a connection object and returns incidents with a specific title.
+Using a **Where-Object** condition you can retrieve incidents with a specific title, status, severity, owner, etc.
## PARAMETERS
diff --git a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncidentComment.md b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncidentComment.md
index 04d8a77b6db5..c70bf59eb141 100644
--- a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncidentComment.md
+++ b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncidentComment.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# Get-AzSentinelIncidentComment
## SYNOPSIS
-Get an Incident Comment.
+Gets an Incident Comment.
## SYNTAX
@@ -42,14 +42,14 @@ If you do not specify the *IncidentCommentId* parameter, an array containing all
PS C:\> $IncidentComments = Get-AzSentinelIncidentComment -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -IncidentId "MyIncidentId"
```
-This example gets all of the **IncidentComments** for the specified Incident in the specified workspace, and then stores it in the $IncidentComments variable.
+This example gets all of the IncidentComments for the specified Incident in the specified workspace, and then stores it in the $IncidentComments variable.
### Example 2
```powershell
PS C:\> $IncidentComment = Get-AzSentinelIncidentComment -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -IncidentId "MyIncidentId" -IncidentCommentId "MyIncidentCommentId"
```
-This example gets an **IncidentComment** for the specified Incident in the specified workspace, and then stores it in the $IncidentComment variable.
+This example gets an IncidentComment for the specified Incident in the specified workspace, and then stores it in the $IncidentComment variable.
## PARAMETERS
diff --git a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelAlertRule.md b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelAlertRule.md
index 07e4fcde5d97..5e0a67e9c5e6 100644
--- a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelAlertRule.md
+++ b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelAlertRule.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# New-AzSentinelAlertRule
## SYNOPSIS
-Create an Analytic (Alert Rule).
+Create an Analytics Rule (Alert Rule).
## SYNTAX
@@ -18,7 +18,7 @@ New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName [-Sc
[-AlertRuleId ] [-AlertRuleTemplateName ] [-Enabled] -DisplayName
[-Description ] [-SuppressionDuration ] [-SuppressionEnabled] -Query
-QueryFrequency -QueryPeriod -Severity
- [-Tactics ] [-TriggerOperator ]
+ [-Tactic ] [-TriggerOperator ]
-TriggerThreshold [-DefaultProfile ] [-WhatIf] [-Confirm] []
```
@@ -53,7 +53,8 @@ PS C:\>$AlertRuleTemplateName = "f71aba3d-28fb-450b-b192-4e76a83015c8"
PS C:\>$AlertRule = New-AzSentinelAlertRule -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -Fusion -Enabled -AlertRuleTemplateName $AlertRuleTemplateName
```
-This example creates a **AlertRule** of the *Fusion* kind based on the Template for *Advanced Multistage Attack Detection*, and then stores it in the $AlertRule variable.
+This example creates an **AlertRule** of the *Fusion* kind based on the Template for *Advanced Multistage Attack Detection*, and then stores it in the $AlertRule variable.
+Since you are using an AlertRuleTemplate, you only have to pass the parameter *-Enabled* to enable and activate this rule.
### Example 2
```powershell
@@ -63,12 +64,37 @@ PS C:\> $AlertRule = New-AzSentinelAlertRule -ResourceGroupName "MyResourceGroup
This example creates a **AlertRule** of the *MicrosoftSecurityIncidentCreation* kind based on the template for *Create incidents based on Azure Security Center for IoT alerts*, and then stores it in the $AlertRule varaible.
-### Example 2
+### Example 3
```powershell
PS C:\> $AlertRule = New-AzSentinelAlertRule -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -Scheduled -Enabled -DisplayName "Powershell Exection Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventId == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10
```
-This example creates a **DataConnector** of the *Scheduled* kind, and then stores it in the $AlertRule varaible.
+This example creates a **DataConnector** of the *Scheduled* kind, and then stores it in the $AlertRule variable.
+*Please note that that query (parameter -Query) needs to be on a single line as as string.*
+
+### Example 4
+```powershell
+$NewRuleObject = @{
+ Scheduled = $true
+ Enabled = $true
+ Query = "SecurityEvent
+ | where EventID == 4624 and AccountType == ""User""
+ | where Account == ""user1@contoso.com""
+ | distinct Account"
+
+ DisplayName = "A VIP has logged on"
+ Description = "my description"
+ QueryPeriod = (New-TimeSpan -Hours 1)
+ QueryFrequency = (New-TimeSpan -Hours 1)
+ TriggerThreshold = 0
+ TriggerOperator = "GreaterThan" #Equal, GreaterThan, LessThan, NotEqual
+ Severity = "Medium" # Low, Medium, High
+}
+$NewRule= New-AzSentinelAlertRule @SentinelConnection @NewRuleObject
+```
+
+This example use a connection object and an object to configure the alert rule logic, including the query.
+*Note: Notice the double quotes in the example. If you need to use a string in the query, you need to use double quotes as escape characters.*
## PARAMETERS
@@ -386,7 +412,7 @@ Accept pipeline input: False
Accept wildcard characters: False
```
-### -Tactics
+### -Tactic
Alert Rule Tactics.
```yaml
diff --git a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelAlertRuleAction.md b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelAlertRuleAction.md
index 8e26b6435a20..8d023e9c8a54 100644
--- a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelAlertRuleAction.md
+++ b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelAlertRuleAction.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# New-AzSentinelAlertRuleAction
## SYNOPSIS
-Add an Automated Response to an Analatic.
+Add an Automated Response to an Analytic Rule.
## SYNTAX
@@ -20,19 +20,41 @@ New-AzSentinelAlertRuleAction -ResourceGroupName -WorkspaceName $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "MyResourceGroup" -Name "Reset-AADPassword"
-PS C:\>$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "MyResourceGroup" -Name "Reset-AADPassword" -TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered"
-PS C:\>$AlertRuleAction = New-AzSentinelAlertRuleAction -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleId "MyAlertRuleId" -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value)
+$LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "MyResourceGroup" -Name "Reset-AADPassword"
+$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "MyResourceGroup" -Name "Reset-AADPassword" -TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered"
+$AlertRuleAction = New-AzSentinelAlertRuleAction -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleId "MyAlertRuleId" -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value)
```
-This example creates an **AlertRuleAction** for the specified Alert Rule using properties of the Logic App, and then stores it in the $AlertRuleAction variable.
+This example creates an AlertRuleAction for the specified Alert Rule using properties of the Logic App, and then stores it in the $AlertRuleAction variable.
+Then we use the New-AzSentinelAlertRuleAction cmdlet to add the Logic App as an action to a specifc AlertRule.
+
+### Example 2
+```powershell
+$SentinelConnection = @{
+ ResourceGroupName = "myResourceGroupName"
+ WorkspaceName = "mySentinelWorkspaceName"
+}
+
+$LogicAppConnection = @{
+ ResourceGroupName = "myLogicAppResourceGroupName"
+ Name = "Reset-AADPassword"
+}
+
+$LogicAppResourceId = Get-AzLogicApp @LogicAppConnection
+$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl @LogicAppConnection -TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered"
+$AnalyticsRule = Get-AzSentinelAlertRule @SentinelConnection | Where-Object {$PSItem.DisplayName -eq "Mimikatz Detected"}
+$AlertRuleAction = New-AzSentinelAlertRuleAction @SentinelConnection -AlertRuleId $AnalyticsRule.Name -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value)
+```
+
+This example uses 2 connection objects to connect with Azure Sentinel and to get a specific Logic App.
+Then a specific Analytics Rule, based on the display name, is retrieved and being used in the final **New-AzSentinelAlertRuleAction** cmdlet to add the Logic App to the Analytics Rule.
## PARAMETERS
diff --git a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelBookmark.md b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelBookmark.md
index 233565abaeab..0078114d0620 100644
--- a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelBookmark.md
+++ b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelBookmark.md
@@ -8,19 +8,20 @@ schema: 2.0.0
# New-AzSentinelBookmark
## SYNOPSIS
-Create a Bookmark.
+Creates a Bookmark for a specific incident.
## SYNTAX
```
New-AzSentinelBookmark -ResourceGroupName -WorkspaceName [-BookmarkId ]
-DisplayName [-IncidentInfo ]
- [-Label ] [-Notes ] -Query
+ [-Label ] [-Note ] -Query
[-QueryResult ] [-DefaultProfile ] [-WhatIf] [-Confirm] []
```
## DESCRIPTION
-The **New-AzSentinelBookmark** cmdlet creates a Bookmark from the specified workspace.
+The **New-AzSentinelBookmark** cmdlet creates a Bookmark in the specified workspace.
+Bookmarks are used to save a query, comment or tag for a specific incident.
You can use the *Confirm* parameter and $ConfirmPreference Windows PowerShell variable to control whether the cmdlet prompts you for confirmation.
## EXAMPLES
@@ -32,6 +33,25 @@ PS C:\> $Bookmark = New-AzSentinelBookmark -ResourceGroupName "MyResourceGroup"
This example creates a **Bookmark** in the specified workspace, and then stores it in the $Bookmark variable.
+### Example 2
+```powershell
+$SentinelConnection = @{
+ ResourceGroupName = "myResourceGroupName"
+ WorkspaceName = "myWorkspaceName"
+}
+
+$BookmarkQuery = @"
+SecurityAlert
+|take 1
+"@
+
+$DisplayName = "My Bookmark Query"
+$Notes = "This is a comment"
+New-AzSentinelBookmark @SentinelConnection -DisplayName $DisplayName -Query $BookmarkQuery -Note $Notes
+```
+
+This example uses a connection object to provide the resourceGroupName and workspaceName, an object to pass the Bookmark query and also creates a comment (passed with the "-Note" parameter)
+
## PARAMETERS
### -BookmarkId
@@ -109,7 +129,7 @@ Accept pipeline input: False
Accept wildcard characters: False
```
-### -Notes
+### -Note
Bookmark Notes.
```yaml
diff --git a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelDataConnector.md b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelDataConnector.md
index 890a2bbe2786..8dd6715004b8 100644
--- a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelDataConnector.md
+++ b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelDataConnector.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# New-AzSentinelDataConnector
## SYNOPSIS
-Create a Data Connector.
+Creates a Data Connector.
## SYNTAX
@@ -57,8 +57,8 @@ New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName
### Office365
```
New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName [-DataConnectorId ]
- [-Office365] -Exchange -SharePoint [-DefaultProfile ] [-WhatIf]
- [-Confirm] []
+ [-Office365] -Exchange -SharePoint -Teams
+ [-DefaultProfile ] [-WhatIf] [-Confirm] []
```
### ThreatIntelligence
@@ -69,10 +69,17 @@ New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName
```
## DESCRIPTION
-The **New-AzSentinelAlertRule** cmdlet creates an Analytic (Alert Rule) in the specified workspace.
-You must specify one of the parameters, for example -AzureActiveDirectory, to specify the kind of Alert rule to create. Each Kind has different required paramaters.
-You can use the *Confirm* parameter and $ConfirmPreference Windows PowerShell variable to control whether the cmdlet prompts you for confirmation.
-Note: Not all data connectors available in the portal are avaialble via API.
+The **New-AzSentinelDataConnector** cmdlet configures and enables a data connector in the specified workspace.
+You must specify one of the parameters, for example -AzureActiveDirectory, to specify the kind of Alert rule to create. Each Kind has different required parameters.
+Please note that only the following data connectors have automation support through PowerShell or the *Security.Insights* API:
+* **AADDataConnector** - Represents AAD (Azure Active Directory Identity Protection) data connector
+* **AATPDataConnector** - Represents AATP (Azure Advanced Threat Protection) data connector
+* **ASCDataConnector** - Represents ASC (Azure Security Center) data connector
+* **AwsCloudTrailDataConnector** - Represents Amazon Web Services CloudTrail data connector
+* **MCASDataConnector** - Represents MCAS (Microsoft Cloud App Security) data connector
+* **MDATPDataConnector** - Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector
+* **OfficeDataConnector** - Represents office data connector
+* **TIDataConnector** - Represents threat intelligence data connector
## EXAMPLES
@@ -81,14 +88,25 @@ Note: Not all data connectors available in the portal are avaialble via API.
PS C:\> $DataConnector = New-AzSentinelDataConnector -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AzureSecurityCenter -Alerts Enabled -SubscriptionId ((Get-AzContext).Subscription.Id)
```
-This example creates a **DataConnector** for Azure Security Center in the specified workspace, and then stores it in the $DataConnector variable.
+This example creates a **DataConnector** for *Azure Security Center* in the specified workspace, and then stores it in the $DataConnector variable.
### Example 2
```powershell
PS C:\> $DataConnector = New-AzSentinelDataConnector -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -MicrosoftCloudAppSecurity -Alerts Enabled -DiscoveryLogs Disabled
```
-This example creates a **DataConnector** for Microsoft Cloud App Security in the specified workspace, and then stores it in the $DataConnector variable.
+This example creates a **DataConnector** for *Microsoft Cloud App Security* in the specified workspace, and then stores it in the $DataConnector variable.
+
+### Examples 3
+```powershell
+$SentinelConnection = @{
+ ResourceGroupName = "myResourceGroupName"
+ WorkspaceName = "myWorkspaceName"
+}
+New-AzSentinelDataConnector @SentinelConnection -Office365 -Exchange Enabled -SharePoint Enabled -Teams Enabled
+```
+
+This example uses a connection object to pass the resourceGroupName and workspaceName. It then configures the *Office 365* data connector to collect Exchange, SharePoint and Teams logs.
## PARAMETERS
@@ -368,6 +386,22 @@ Accept pipeline input: False
Accept wildcard characters: False
```
+### -Teams
+Data Connector Teams
+
+```yaml
+Type: System.String
+Parameter Sets: Office365
+Aliases:
+Accepted values: Enabled, Disabled
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
### -ThreatIntelligence
Data Connector Threat Intelligence
diff --git a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelIncident.md b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelIncident.md
index 14a8db70ac99..a35545ee4514 100644
--- a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelIncident.md
+++ b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelIncident.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# New-AzSentinelIncident
## SYNOPSIS
-Create an Incident.
+Creates an Incident.
## SYNTAX
@@ -22,17 +22,20 @@ New-AzSentinelIncident -ResourceGroupName -WorkspaceName [-Inc
```
## DESCRIPTION
-The **New-AzSentinelIncident** cmdlet creates a Incident from the specified workspace.
+The **New-AzSentinelIncident** cmdlet creates a Incident in the specified workspace.
You can use the *Confirm* parameter and $ConfirmPreference Windows PowerShell variable to control whether the cmdlet prompts you for confirmation.
## EXAMPLES
### Example 1
```powershell
-PS C:\> $Incident = New-AzSentinelIncident -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -Title "NewIncident" -Severity Low -Status New
+PS C:\> $Incident = New-AzSentinelIncident -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -Title "NewIncident" -Description "My Description" -Severity Low -Status New
```
-This example creates an **Incident** in the specified workspace, and then stores it in the $Incident variable.
+This example creates an **Incident** in the specified workspace, and then stores it in the $Incident variable.
+
+*Please note that you currently cannot add entities to a new created incident through automation, which means that you cannot use the investigation feature for new created incidents through automation.
+The feature to add entities to incidents is planned and will be added in the future.*
## PARAMETERS
diff --git a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelIncidentComment.md b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelIncidentComment.md
index e81d96cdae83..ea5b41f4dcc2 100644
--- a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelIncidentComment.md
+++ b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelIncidentComment.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# New-AzSentinelIncidentComment
## SYNOPSIS
-Add an Incident Comment to an Incident.
+Adds a Comment to an Incident.
## SYNTAX
@@ -19,7 +19,7 @@ New-AzSentinelIncidentComment -ResourceGroupName -WorkspaceName $Incident = Get-AzSentinelIncident -ResourceGroupName "MyResourceGroup"
PS C:\> $IncidentComment = New-AzSentinelIncidentComment -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -IncidentId ($Incident.Name) -Message "Still needs investigation"
```
-This example creates an **IncidentComment** in the specified workspace, and then stores it in the $IncidentComment variable.
+This example creates an IncidentComment in the specified workspace, and then stores it in the $IncidentComment variable.
## PARAMETERS
diff --git a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelIncidentOwner.md b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelIncidentOwner.md
index f03046460393..f2257bcae128 100644
--- a/src/SecurityInsights/SecurityInsights/help/New-AzSentinelIncidentOwner.md
+++ b/src/SecurityInsights/SecurityInsights/help/New-AzSentinelIncidentOwner.md
@@ -14,7 +14,7 @@ Create Incident Owner object to update an incident owner.
```
New-AzSentinelIncidentOwner -AssignedTo -Email -ObjectId -UserPrincipalName
- [-DefaultProfile ] []
+ [-DefaultProfile ] [-WhatIf] [-Confirm] []
```
## DESCRIPTION
@@ -109,6 +109,36 @@ Accept pipeline input: False
Accept wildcard characters: False
```
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs. The cmdlet is not run.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
### CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
diff --git a/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelAlertRule.md b/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelAlertRule.md
index 0b8d2cfb6c30..8be782b9534a 100644
--- a/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelAlertRule.md
+++ b/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelAlertRule.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# Remove-AzSentinelAlertRule
## SYNOPSIS
-Delete an Analytic.
+Deletes an Analytics Rule (AlertRule)
## SYNTAX
@@ -33,7 +33,7 @@ You can use the Confirm parameter and $ConfirmPreference Windows PowerShell vari
### Example 1
```powershell
-PS C:\> Remove-AzSentinelAlertRule -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleId "MyAlertRuleId"
+PS C:\> Remove-AzSentinelAlertRule -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleId "dcf87c5a-19c3-4b5a-90cd-78bf46deee5b"
```
This command removes the Alert Rule from the workspace.
diff --git a/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelAlertRuleAction.md b/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelAlertRuleAction.md
index 3731ec97d2b6..636639ac89cb 100644
--- a/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelAlertRuleAction.md
+++ b/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelAlertRuleAction.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# Remove-AzSentinelAlertRuleAction
## SYNOPSIS
-Remove an Automated Response from an Analytic.
+Removes an Automated Response from an Analytic Rule.
## SYNTAX
@@ -39,6 +39,20 @@ PS C:\> Remove-AzSentinelAlertRuleAction -ResourceGroupName "MyResourceGroup" -W
This command removes the Alert Rule from the workspace.
+### Example 2
+```powershell
+$SentinelConnection = @{
+ ResourceGroupName = "myResourceGroupName"
+ WorkspaceName = "myWorkspaceName"
+}
+
+$AlertRule = Get-AzSentinelAlertRule @SentinelConnection | Where-Object {$_.DisplayName -eq "My VIP has logged in"}
+$AlertRuleAction = Get-AzSentinelAlertRuleAction @SentinelConnection -AlertRuleId $AlertRule.Name
+Remove-AzSentinelAlertRuleAction @SentinelConnection -AlertRuleId $AlertRule.Name -ActionId $AlertRuleAction.Name
+```
+
+This example uses a connection object to pass the *resourceGroupName* and the *workspaceName*. It first gets the *AlertRule* with a specific *DisplayName*, then gets the *AlertRuleAction* and finally removes it from the AlertRule.
+
## PARAMETERS
### -ActionId
diff --git a/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelBookmark.md b/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelBookmark.md
index 9dd03f01fcb4..7e52a74beb4e 100644
--- a/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelBookmark.md
+++ b/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelBookmark.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# Remove-AzSentinelBookmark
## SYNOPSIS
-Delete a Bookmark.
+Deletes a Bookmark.
## SYNTAX
@@ -26,7 +26,7 @@ Remove-AzSentinelBookmark -InputObject [-PassThru]
## DESCRIPTION
The **Remove-AzSentinelBookmark** cmdlet permanently deletes a Bookmark from a specified workspace.
-You can pass an **Bookmark** object by using the pipeline operator, or alternatively you can specify the required parameters.
+You can pass an Bookmark object by using the pipeline operator, or alternatively you can specify the required parameters.
You can use the Confirm parameter and $ConfirmPreference Windows PowerShell variable to control whether the cmdlet prompts you for confirmation.
## EXAMPLES
@@ -38,6 +38,18 @@ PS C:\> Remove-AzSentinelBookmark -ResourceGroupName "MyResourceGroup" -Workspac
This command removes the Bookmark from the workspace.
+### Example 2
+```powershell
+$SentinelConnection = @{
+ ResourceGroupName = "myResourceGroupName"
+ WorkspaceName = "myWorkspaceName"
+}
+$Bookmark = Get-AzSentinelBookmark @SentinelConnection | Where-Object {$_.DisplayName -eq "My Bookmark"}
+Remove-AzSentinelBookmark @SentinelConnection -BookmarkId $Bookmark.Name
+```
+
+This example uses a connection object to pass the resourceGroupName and workspaceName to get a Bookmark with a specific name. It then uses the BookmarkId to remove it.
+
## PARAMETERS
### -BookmarkId
diff --git a/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelDataConnector.md b/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelDataConnector.md
index 9ce369d3fb12..f1c0383f1943 100644
--- a/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelDataConnector.md
+++ b/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelDataConnector.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# Remove-AzSentinelDataConnector
## SYNOPSIS
-Remove a Data Connector.
+Removes a Data Connector.
## SYNTAX
@@ -38,6 +38,19 @@ PS C:\> Remove-AzSentinelDataConnector -ResourceGroupName "MyResourceGroup" -Wor
This command removes the DataConnector from the workspace.
+### Example 2
+```powershell
+$SentinelConnection = @{
+ ResourceGroupName = "myResourceGroupName"
+ WorkspaceName = "myWorkspaceName"
+}
+$DataConnector = Get-AzSentinelDataConnector @SentinelConnection | Where-Object {$_.Kind -eq "Office365"}
+Remove-AzSentinelDataConnector @SentinelConnection -DataConnectorId $DataConnector.Name
+```
+
+This example uses a connection object to pass the resourceGroupName and the workspaceName. Then it gets a specific connector, filtered by *Kind* which is being passed to remove the data connector.
+*Note: the $DataConnector.Name is the DataConnectorId.*
+
## PARAMETERS
### -DataConnectorId
diff --git a/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelIncident.md b/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelIncident.md
index 08156a47a482..02fc97f53bfe 100644
--- a/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelIncident.md
+++ b/src/SecurityInsights/SecurityInsights/help/Remove-AzSentinelIncident.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# Remove-AzSentinelIncident
## SYNOPSIS
-Delete an Incident.
+Deletes an Incident.
## SYNTAX
@@ -38,6 +38,18 @@ PS C:\> Remove-AzSentinelIncident -ResourceGroupName "MyResourceGroup" -Workspac
This command removes the Incident from the workspace.
+### Example 2
+```powershell
+$SentinelConnection = @{
+ ResourceGroupName = "myResourceGroupName"
+ WorkspaceName = "myWorkspaceName"
+}
+$Incident = Get-AzSentinelIncident @SentinelConnection | Where-Object {$_.IncidentNumber -eq "346"}
+Remove-AzSentinelIncident @SentinelConnection -IncidentId $Incident.Name
+```
+
+This example uses a connection object to pass the resourceGroupName and workspaceName to get a specific Incident based on the Incident number (as shown in the Incident view). Then it uses the $Incident.Name value (which represents the IncidentId) to delete the Incident.
+
## PARAMETERS
### -DefaultProfile
diff --git a/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelAlertRule.md b/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelAlertRule.md
index 6119eb2afd20..350a20b8186c 100644
--- a/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelAlertRule.md
+++ b/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelAlertRule.md
@@ -8,56 +8,54 @@ schema: 2.0.0
# Update-AzSentinelAlertRule
## SYNOPSIS
-Create an Analytic (Alert Rule).
+Updates an Analytic Rule (Alert Rule).
## SYNTAX
### AlertRuleId (Default)
```
Update-AzSentinelAlertRule -ResourceGroupName -WorkspaceName -AlertRuleId
- [-AlertRuleTemplateName ] [-Enabled] [-Disabled] [-DisplayName ]
- [-ProductFilter ] [-Description ]
- [-DisplayNamesExcludeFilter ]
+ [-AlertRuleTemplateName ] [-Enabled] [-Disabled] [-DisplayName ] [-ProductFilter ]
+ [-Description ] [-DisplayNamesExcludeFilter ]
[-DisplayNamesFilter ]
[-SeveritiesFilter ] [-SuppressionDuration ]
[-SuppressionEnabled] [-SuppressionDisabled] [-Query ] [-QueryFrequency ]
- [-QueryPeriod ] [-Severity ] [-Tactics ]
+ [-QueryPeriod ] [-Severity ] [-Tactic ]
[-TriggerOperator ] [-TriggerThreshold ] [-DefaultProfile ]
[-WhatIf] [-Confirm] []
```
### InputObject
```
-Update-AzSentinelAlertRule [-AlertRuleTemplateName ] [-Enabled] [-Disabled]
- [-DisplayName ] [-ProductFilter ] [-Description ]
+Update-AzSentinelAlertRule [-AlertRuleTemplateName ] [-Enabled] [-Disabled] [-DisplayName ]
+ [-ProductFilter ] [-Description ]
[-DisplayNamesExcludeFilter ]
[-DisplayNamesFilter ]
[-SeveritiesFilter ] [-SuppressionDuration ]
[-SuppressionEnabled] [-SuppressionDisabled] [-Query ] [-QueryFrequency ]
- [-QueryPeriod ] [-Severity ] [-Tactics ]
+ [-QueryPeriod ] [-Severity ] [-Tactic ]
[-TriggerOperator ] [-TriggerThreshold ] -InputObject
[-DefaultProfile ] [-WhatIf] [-Confirm] []
```
### ResourceId
```
-Update-AzSentinelAlertRule [-AlertRuleTemplateName ] [-Enabled] [-Disabled]
- [-DisplayName ] [-ProductFilter ] [-Description ]
+Update-AzSentinelAlertRule [-AlertRuleTemplateName ] [-Enabled] [-Disabled] [-DisplayName ]
+ [-ProductFilter ] [-Description ]
[-DisplayNamesExcludeFilter ]
[-DisplayNamesFilter ]
[-SeveritiesFilter ] [-SuppressionDuration ]
[-SuppressionEnabled] [-SuppressionDisabled] [-Query ] [-QueryFrequency ]
- [-QueryPeriod ] [-Severity ] [-Tactics ]
+ [-QueryPeriod ] [-Severity ] [-Tactic ]
[-TriggerOperator ] [-TriggerThreshold ] -ResourceId
[-DefaultProfile ] [-WhatIf] [-Confirm] []
```
## DESCRIPTION
-The **Update-AzSentinelAlertRule** cmdlet updates an Analytic (Alert Rule) in the specified workspace.
-You can use an -InputObject or -ResourceId or -AlertId. You can update 1 or more proprtery parmaters.
+The **Update-AzSentinelAlertRule** cmdlet updates an Analytic (Alert) Rule in the specified workspace.
+You can use an -InputObject or -ResourceId or -AlertId. You can update 1 or more property parameters.
You can use the *Confirm* parameter and $ConfirmPreference Windows PowerShell variable to control whether the cmdlet prompts you for confirmation.
-
## EXAMPLES
### Example 1
@@ -65,7 +63,7 @@ You can use the *Confirm* parameter and $ConfirmPreference Windows PowerShell va
PS C:\> Update-AzSentinelAlertRule -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleId "MyAlertRuleId" -Disabled -DisplayName "Disabled-AlertRuleDisplayName"
```
-This example updates an **AlertRule** setting it to *Disabled* and renames to *Disabled-AlertRuleDisplayName*. All other properties will remain the same.
+This example updates an **AlertRule** setting it to *Disabled* and renames the AlertRule to *Disabled-AlertRuleDisplayName*. All other properties will remain the same.
### Example 2
```powershell
@@ -75,6 +73,17 @@ PS C:\> Update-AzSentinelAlertRule -InputObject $AlertRule -Disabled
This example updates an **AlertRule** using an InputObject setting it to *Disabled*. All other properties will remain the same.
+### Example 3
+```powershell
+$SentinelConnection = @{
+ ResourceGroupName = "myResourceGroupName"
+ WorkspaceName = "myWorkspaceName"
+}
+$ruleToDisable = Get-AzSentinelAlertRule @SentinelConnection | Where-Object {$_.DisplayName -eq "Mimikatz Detected"}
+Update-AzSentinelAlertRule @SentinelConnection -AlertRuleId $ruleToDisable.Name -Disabled
+```
+
+This example uses a connection object to pass the resourceGroupName and workspaceName. It then gets a specific AlertRule based on the display name and disables the rule.
## PARAMETERS
@@ -82,7 +91,7 @@ This example updates an **AlertRule** using an InputObject setting it to *Disabl
Alert Rule Id.
```yaml
-Type: String
+Type: System.String
Parameter Sets: AlertRuleId
Aliases:
@@ -97,7 +106,7 @@ Accept wildcard characters: False
Alert Rule Template.
```yaml
-Type: String
+Type: System.String
Parameter Sets: (All)
Aliases:
@@ -112,7 +121,7 @@ Accept wildcard characters: False
The credentials, account, tenant, and subscription used for communication with Azure.
```yaml
-Type: IAzureContextContainer
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
Parameter Sets: (All)
Aliases: AzContext, AzureRmContext, AzureCredential
@@ -127,7 +136,7 @@ Accept wildcard characters: False
Description.
```yaml
-Type: String
+Type: System.String
Parameter Sets: (All)
Aliases:
@@ -142,7 +151,7 @@ Accept wildcard characters: False
Alert Rule Disabled.
```yaml
-Type: Boolean
+Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases:
@@ -157,7 +166,7 @@ Accept wildcard characters: False
Alert Rule Display Name.
```yaml
-Type: String
+Type: System.String
Parameter Sets: (All)
Aliases:
@@ -202,7 +211,7 @@ Accept wildcard characters: False
Alert Rule Enabled.
```yaml
-Type: Boolean
+Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases:
@@ -217,7 +226,7 @@ Accept wildcard characters: False
InputObject.
```yaml
-Type: PSSentinelAlertRule
+Type: Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules.PSSentinelAlertRule
Parameter Sets: InputObject
Aliases:
@@ -232,7 +241,7 @@ Accept wildcard characters: False
Alert Rule Product Filter.
```yaml
-Type: String
+Type: System.String
Parameter Sets: (All)
Aliases:
Accepted values: Azure Active Directory Identity Protection, Azure Advanced Threat Protection, Azure Security Center, Azure Security Center for IoT, Microsoft Cloud App Security, Microsoft Defender Advanced Threat Protection, Office 365 Advanced Threat Protection
@@ -248,7 +257,7 @@ Accept wildcard characters: False
Alert Rule Query.
```yaml
-Type: String
+Type: System.String
Parameter Sets: (All)
Aliases:
@@ -263,7 +272,7 @@ Accept wildcard characters: False
Alert Rule Query Frequency.
```yaml
-Type: TimeSpan
+Type: System.Nullable`1[System.TimeSpan]
Parameter Sets: (All)
Aliases:
@@ -278,7 +287,7 @@ Accept wildcard characters: False
Alert Rule Query Period.
```yaml
-Type: TimeSpan
+Type: System.Nullable`1[System.TimeSpan]
Parameter Sets: (All)
Aliases:
@@ -293,7 +302,7 @@ Accept wildcard characters: False
Resource group name.
```yaml
-Type: String
+Type: System.String
Parameter Sets: AlertRuleId
Aliases:
@@ -308,7 +317,7 @@ Accept wildcard characters: False
Resource Id.
```yaml
-Type: String
+Type: System.String
Parameter Sets: ResourceId
Aliases:
@@ -338,7 +347,7 @@ Accept wildcard characters: False
Incident Severity.
```yaml
-Type: String
+Type: System.String
Parameter Sets: (All)
Aliases:
@@ -353,7 +362,7 @@ Accept wildcard characters: False
Alert Rule Suppression Disabled.
```yaml
-Type: SwitchParameter
+Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases:
@@ -368,7 +377,7 @@ Accept wildcard characters: False
Alert Rule Suppression Duration.
```yaml
-Type: TimeSpan
+Type: System.TimeSpan
Parameter Sets: (All)
Aliases:
@@ -383,7 +392,7 @@ Accept wildcard characters: False
Alert Rule Suppression Enabled.
```yaml
-Type: SwitchParameter
+Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases:
@@ -394,7 +403,7 @@ Accept pipeline input: False
Accept wildcard characters: False
```
-### -Tactics
+### -Tactic
Alert Rule Tactics.
```yaml
@@ -413,7 +422,7 @@ Accept wildcard characters: False
Alert Rule Trigger Operator.
```yaml
-Type: TriggerOperator
+Type: Microsoft.Azure.Management.SecurityInsights.Models.TriggerOperator
Parameter Sets: (All)
Aliases:
Accepted values: GreaterThan, LessThan, Equal, NotEqual
@@ -429,7 +438,7 @@ Accept wildcard characters: False
Alert Rule Trigger Threshold.
```yaml
-Type: Int32
+Type: System.Nullable`1[System.Int32]
Parameter Sets: (All)
Aliases:
@@ -444,7 +453,7 @@ Accept wildcard characters: False
Workspace Name.
```yaml
-Type: String
+Type: System.String
Parameter Sets: AlertRuleId
Aliases:
@@ -459,7 +468,7 @@ Accept wildcard characters: False
Prompts you for confirmation before running the cmdlet.
```yaml
-Type: SwitchParameter
+Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases: cf
@@ -475,7 +484,7 @@ Shows what would happen if the cmdlet runs.
The cmdlet is not run.
```yaml
-Type: SwitchParameter
+Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases: wi
diff --git a/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelAlertRuleAction.md b/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelAlertRuleAction.md
index 8371d743e359..bc75bc806dbb 100644
--- a/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelAlertRuleAction.md
+++ b/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelAlertRuleAction.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# Update-AzSentinelAlertRuleAction
## SYNOPSIS
-Update an Automated Response (Alert Rule Action).
+Updates an Automated Response (Alert Rule Action).
## SYNTAX
@@ -46,7 +46,7 @@ PS C:\>$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName
PS C:\> Update-AzSentinelBookmark -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -AlertRuleId "MyAlertRuleId" -ActionId "MyActionId" -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value)
```
-This example updates an **AlertRuleAction** replacing an existing *Action* with new properties.
+This example updates an AlertRuleAction replacing an existing *Action* with new properties.
### Example 2
```powershell
@@ -54,7 +54,7 @@ PS C:\> $AlertRuleAction = Get-AzSentinelAlertRuleAction -ResourceGroupName "MyR
PS C:\> Update-AzSentinelAlertRuleAction -InputObject $AlertRuleAction -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value)
```
-This example updates an **AlertRuleAction** using an InputObject replacing an existing *Action* with new properties.
+This example updates an AlertRuleAction using an InputObject replacing an existing *Action* with new properties.
## PARAMETERS
diff --git a/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelBookmark.md b/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelBookmark.md
index 168b57fe7787..51126b16f9ef 100644
--- a/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelBookmark.md
+++ b/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelBookmark.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# Update-AzSentinelBookmark
## SYNOPSIS
-Update a Bookmark.
+Updates a Bookmark.
## SYNTAX
@@ -16,7 +16,7 @@ Update a Bookmark.
```
Update-AzSentinelBookmark -ResourceGroupName -WorkspaceName -BookmarkId
[-DisplayName ] [-IncidentInfo ]
- [-Label ] [-Notes ] [-Query ]
+ [-Label ] [-Note ] [-Query ]
[-QueryResult ] [-DefaultProfile ] [-WhatIf] [-Confirm] []
```
@@ -24,7 +24,7 @@ Update-AzSentinelBookmark -ResourceGroupName -WorkspaceName -B
```
Update-AzSentinelBookmark -InputObject [-DisplayName ]
[-IncidentInfo ] [-Label ]
- [-Notes ] [-Query ] [-QueryResult ] [-DefaultProfile ]
+ [-Note ] [-Query ] [-QueryResult ] [-DefaultProfile ]
[-WhatIf] [-Confirm] []
```
@@ -32,7 +32,7 @@ Update-AzSentinelBookmark -InputObject [-DisplayName [-DisplayName ]
[-IncidentInfo ] [-Label ]
- [-Notes ] [-Query ] [-QueryResult ] [-DefaultProfile ]
+ [-Note ] [-Query ] [-QueryResult ] [-DefaultProfile ]
[-WhatIf] [-Confirm] []
```
@@ -48,7 +48,7 @@ You can use the *Confirm* parameter and $ConfirmPreference Windows PowerShell va
PS C:\> Update-AzSentinelBookmark -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceNAme" -BookmarkId "MyBookmarkId" -Notes "Found something interesting"
```
-The command updates the Bookmark by setting the *Notes* property. All other propreties stay the same.
+The command updates the Bookmark by setting the *Notes* property. All other properties stay the same.
### Example 2
```powershell
@@ -57,7 +57,7 @@ PS C:\> $Bookmark | Set-AzSentinelBookmark -Notes "Found something interesting"
```
The first command gets the Bookmark by *BookmarkId* from the specified workspace, and then stores it in the $Bookmark variable.
-The second command updates the Notes property. All other propreties stay the same.
+The second command updates the Notes property. All other properties stay the same.
## PARAMETERS
@@ -65,8 +65,8 @@ The second command updates the Notes property. All other propreties stay the s
Bookmark Id,
```yaml
-Type: String
-Parameter Sets: BookmarkId., ParentObject
+Type: System.String
+Parameter Sets: BookmarkId.
Aliases:
Required: True
@@ -80,7 +80,7 @@ Accept wildcard characters: False
The credentials, account, tenant, and subscription used for communication with Azure.
```yaml
-Type: IAzureContextContainer
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
Parameter Sets: (All)
Aliases: AzContext, AzureRmContext, AzureCredential
@@ -95,7 +95,7 @@ Accept wildcard characters: False
Bookmark Rule Display Name.
```yaml
-Type: String
+Type: System.String
Parameter Sets: (All)
Aliases:
@@ -110,7 +110,7 @@ Accept wildcard characters: False
Bookmark Incident Info.
```yaml
-Type: PSSentinelBookmarkIncidentInfo
+Type: Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmarkIncidentInfo
Parameter Sets: (All)
Aliases:
@@ -125,7 +125,7 @@ Accept wildcard characters: False
InputObject.
```yaml
-Type: PSSentinelBookmark
+Type: Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmark
Parameter Sets: InputObject
Aliases:
@@ -151,11 +151,11 @@ Accept pipeline input: False
Accept wildcard characters: False
```
-### -Notes
+### -Note
Bookmark Notes.
```yaml
-Type: String
+Type: System.String
Parameter Sets: (All)
Aliases:
@@ -170,7 +170,7 @@ Accept wildcard characters: False
Bookmark Query.
```yaml
-Type: String
+Type: System.String
Parameter Sets: (All)
Aliases:
@@ -185,7 +185,7 @@ Accept wildcard characters: False
Bookmark Query Result.
```yaml
-Type: String
+Type: System.String
Parameter Sets: (All)
Aliases:
@@ -200,7 +200,7 @@ Accept wildcard characters: False
Resource group name.
```yaml
-Type: String
+Type: System.String
Parameter Sets: BookmarkId.
Aliases:
@@ -215,7 +215,7 @@ Accept wildcard characters: False
Resource Id.
```yaml
-Type: String
+Type: System.String
Parameter Sets: ResourceId
Aliases:
@@ -230,7 +230,7 @@ Accept wildcard characters: False
Workspace Name.
```yaml
-Type: String
+Type: System.String
Parameter Sets: BookmarkId.
Aliases:
@@ -245,7 +245,7 @@ Accept wildcard characters: False
Prompts you for confirmation before running the cmdlet.
```yaml
-Type: SwitchParameter
+Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases: cf
@@ -261,7 +261,7 @@ Shows what would happen if the cmdlet runs.
The cmdlet is not run.
```yaml
-Type: SwitchParameter
+Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases: wi
diff --git a/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelDataConnector.md b/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelDataConnector.md
index 7c6ee5e47156..782af3e5a59f 100644
--- a/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelDataConnector.md
+++ b/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelDataConnector.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# Update-AzSentinelDataConnector
## SYNOPSIS
-Update a Data Connector.
+Updates a Data Connector.
## SYNTAX
@@ -16,7 +16,7 @@ Update a Data Connector.
```
Update-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -DataConnectorId
[-Alerts ] [-SubscriptionId ] [-AwsRoleArn ] [-Logs ]
- [-DiscoveryLogs ] [-Exchange ] [-SharePoint ] [-Indicators ]
+ [-DiscoveryLogs ] [-Exchange ] [-SharePoint ] [-Teams ] [-Indicators ]
[-DefaultProfile ] [-WhatIf] [-Confirm] []
```
@@ -24,15 +24,16 @@ Update-AzSentinelDataConnector -ResourceGroupName -WorkspaceName [-Alerts ]
[-SubscriptionId ] [-AwsRoleArn ] [-Logs ] [-DiscoveryLogs ]
- [-Exchange ] [-SharePoint ] [-Indicators ] [-DefaultProfile ]
- [-WhatIf] [-Confirm] []
+ [-Exchange ] [-SharePoint ] [-Teams ] [-Indicators ]
+ [-DefaultProfile ] [-WhatIf] [-Confirm] []
```
### ResourceId
```
Update-AzSentinelDataConnector -ResourceId [-Alerts ] [-SubscriptionId ]
[-AwsRoleArn ] [-Logs ] [-DiscoveryLogs ] [-Exchange ] [-SharePoint ]
- [-Indicators ] [-DefaultProfile ] [-WhatIf] [-Confirm] []
+ [-Teams ] [-Indicators ] [-DefaultProfile ] [-WhatIf] [-Confirm]
+ []
```
## DESCRIPTION
@@ -47,7 +48,7 @@ You can use the *Confirm* parameter and $ConfirmPreference Windows PowerShell va
PS C:\> Update-AzSentinelDataConnector -ResourceGroupName "MyResourceGroup" -WorkspaceName "MyWorkspaceName" -DataConnectorId "MyDataConnectorId" -Alerts Disabled
```
-The command gets the Data Connector by *DataConnectorId* and sets the *Alerts* state to *Disabled*. All other properties remain the same.
+This example gets the Data Connector by *DataConnectorId* and sets the *Alerts* state to *Disabled*. All other properties remain the same.
## PARAMETERS
@@ -55,7 +56,7 @@ The command gets the Data Connector by *DataConnectorId* and sets the *Alerts* s
Data Connector Alerts
```yaml
-Type: String
+Type: System.String
Parameter Sets: (All)
Aliases:
Accepted values: Enabled, Disabled
@@ -71,7 +72,7 @@ Accept wildcard characters: False
Data Connector AWS Role Arn
```yaml
-Type: String
+Type: System.String
Parameter Sets: (All)
Aliases:
@@ -86,7 +87,7 @@ Accept wildcard characters: False
Data Connector Id.
```yaml
-Type: String
+Type: System.String
Parameter Sets: DataConnectorId
Aliases:
@@ -101,7 +102,7 @@ Accept wildcard characters: False
The credentials, account, tenant, and subscription used for communication with Azure.
```yaml
-Type: IAzureContextContainer
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
Parameter Sets: (All)
Aliases: AzContext, AzureRmContext, AzureCredential
@@ -116,7 +117,7 @@ Accept wildcard characters: False
Data Connector Discovery Logs
```yaml
-Type: String
+Type: System.String
Parameter Sets: (All)
Aliases:
Accepted values: Enabled, Disabled
@@ -132,7 +133,7 @@ Accept wildcard characters: False
Data Connector Exchange
```yaml
-Type: String
+Type: System.String
Parameter Sets: (All)
Aliases:
Accepted values: Enabled, Disabled
@@ -148,7 +149,7 @@ Accept wildcard characters: False
Data Connector Indicators
```yaml
-Type: String
+Type: System.String
Parameter Sets: (All)
Aliases:
Accepted values: Enabled, Disabled
@@ -164,7 +165,7 @@ Accept wildcard characters: False
InputObject.
```yaml
-Type: PSSentinelDataConnector
+Type: Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors.PSSentinelDataConnector
Parameter Sets: InputObject
Aliases:
@@ -179,7 +180,7 @@ Accept wildcard characters: False
Data Connector Logs
```yaml
-Type: String
+Type: System.String
Parameter Sets: (All)
Aliases:
Accepted values: Enabled, Disabled
@@ -195,7 +196,7 @@ Accept wildcard characters: False
Resource group name.
```yaml
-Type: String
+Type: System.String
Parameter Sets: DataConnectorId
Aliases:
@@ -210,7 +211,7 @@ Accept wildcard characters: False
Resource Id.
```yaml
-Type: String
+Type: System.String
Parameter Sets: ResourceId
Aliases:
@@ -225,7 +226,7 @@ Accept wildcard characters: False
Data Connector SharePoint
```yaml
-Type: String
+Type: System.String
Parameter Sets: (All)
Aliases:
Accepted values: Enabled, Disabled
@@ -241,9 +242,25 @@ Accept wildcard characters: False
Data connector Subscription Id
```yaml
-Type: String
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Teams
+Data Connector Teams
+
+```yaml
+Type: System.String
Parameter Sets: (All)
Aliases:
+Accepted values: Enabled, Disabled
Required: False
Position: Named
@@ -256,7 +273,7 @@ Accept wildcard characters: False
Workspace Name.
```yaml
-Type: String
+Type: System.String
Parameter Sets: DataConnectorId
Aliases:
@@ -271,7 +288,7 @@ Accept wildcard characters: False
Prompts you for confirmation before running the cmdlet.
```yaml
-Type: SwitchParameter
+Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases: cf
@@ -287,7 +304,7 @@ Shows what would happen if the cmdlet runs.
The cmdlet is not run.
```yaml
-Type: SwitchParameter
+Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases: wi
diff --git a/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelIncident.md b/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelIncident.md
index d2ff7c6b08f9..ca91be16ce54 100644
--- a/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelIncident.md
+++ b/src/SecurityInsights/SecurityInsights/help/Update-AzSentinelIncident.md
@@ -8,7 +8,7 @@ schema: 2.0.0
# Update-AzSentinelIncident
## SYNOPSIS
-Update an Incident.
+Updates an Incident
## SYNTAX
@@ -18,7 +18,7 @@ Update-AzSentinelIncident -ResourceGroupName -WorkspaceName -I
[-Classification ] [-ClassificationComment ] [-ClassificationReason ]
[-Description